RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: 275m-records (2 articles)Clear
breach
2026-05-13

Instructure paid ShinyHunters' ransom to stop the 3.65TB Canvas data leak, and the US Congress launched an inquiry the same day

Update on the Canvas breach covered May 4, 8, and 12: Instructure paid an undisclosed ransom to ShinyHunters on Tuesday to stop publication of the 3.65 TB dataset covering 8,809 educational organizations and 275 million students and staff. Hours later, the US House Education Committee launched a formal inquiry requesting testimony from Instructure leadership about the breach and the decision to pay. This is the largest known education-sector ransom payment. The FBI's 'don't pay' guidance now collides with Congressional scrutiny of the payment decision.

instructurecanvasshinyhuntersransom-paidus-congresseducationfollow-upferpacoppa3-65tb275m-records
Check
Contact Instructure for written confirmation your school's data is off the leak schedule. Check Canvas API logs for bulk exports between February and April.
Affected
8,809 schools, universities, and training organizations on Canvas. K-12 districts face state student-privacy obligations (NY 2-d, SOPIPA, ~130 statutes) independent of payment. Universities face FERPA obligations.
Fix
Issue COPPA and FERPA notifications per state timelines regardless of ransom payment - the data was already exposed before the deal. Rotate Canvas API keys and re-authorize integrations.
breach
2026-05-03

Hackers tell schools to pay by Tuesday or 275 million students' messages and IDs go public - Canvas operator Instructure confirms breach

Update on the Instructure breach we covered May 2: Instructure confirmed Saturday that names, email addresses, student ID numbers, and private messages between students and teachers were exposed. ShinyHunters now claims 275 million individuals across 9,000 schools worldwide are in the dataset, totaling 3.65+ TB of data including billions of private messages. The group set a pay-or-leak deadline of May 6 - this Tuesday. The Salesforce instance was also breached. This is Instructure's second breach in eight months. PowerSchool's January 2025 breach with similar scope produced a $17.25 million settlement.

instructurecanvasshinyhunters275m-records9000-schoolsfollow-upmay-6-deadlinesalesforcesecond-breachpowerschool-comparisoncoppaferpa
Check
If your school or organization uses Canvas, prepare your student/parent breach notification template this week - Instructure data is likely to be public by Tuesday.
Affected
Schools, universities, and corporate training organizations using Canvas - 9,000 institutions globally, 275 million individuals. Acute risk for K-12 districts where data on under-13 students falls under COPPA and state student privacy laws (NY Education Law 2-d, California SOPIPA, ~130 similar state statutes). Salesforce-integrated Canvas tenants face additional exposure.
Fix
Rotate every Canvas API key and re-authorize integrations as Instructure has now mandated. Pull your district's Canvas data-sharing inventory and identify which downstream tools held copies. For K-12: prepare COPPA and state-AG notification templates now - PowerSchool's breach triggered class actions in 11 states. Brief students, parents, and faculty that any 'Canvas account verification' email this week is potentially hostile.