coppa - TrustStrike Labs

breach

2026-05-13

Instructure paid ShinyHunters' ransom to stop the 3.65TB Canvas data leak, and the US Congress launched an inquiry the same day

Update on the Canvas breach covered May 4, 8, and 12: Instructure paid an undisclosed ransom to ShinyHunters on Tuesday to stop publication of the 3.65 TB dataset covering 8,809 educational organizations and 275 million students and staff. Hours later, the US House Education Committee launched a formal inquiry requesting testimony from Instructure leadership about the breach and the decision to pay. This is the largest known education-sector ransom payment. The FBI's 'don't pay' guidance now collides with Congressional scrutiny of the payment decision.

instructure canvas shinyhunters ransom-paid us-congress education follow-up ferpa coppa 3-65tb 275m-records

Check: Contact Instructure for written confirmation your school's data is off the leak schedule. Check Canvas API logs for bulk exports between February and April.
Affected: 8,809 schools, universities, and training organizations on Canvas. K-12 districts face state student-privacy obligations (NY 2-d, SOPIPA, ~130 statutes) independent of payment. Universities face FERPA obligations.
Fix: Issue COPPA and FERPA notifications per state timelines regardless of ransom payment - the data was already exposed before the deal. Rotate Canvas API keys and re-authorize integrations.

threat

2026-05-08

ShinyHunters is now extorting individual schools using stolen Canvas data - thousands of K-12 districts and universities receiving direct ransom demands

Update on the Instructure breach we covered May 4: ShinyHunters has shifted from extorting Instructure itself to extorting individual schools and universities with their own Canvas data. BleepingComputer and Krebs on Security report that 8,800+ institutions have received direct ransom demands referencing real student records, teacher accounts, and gradebook data from their own Canvas tenants. The campaign mirrors the 2025 PowerSchool aftermath. Some schools are receiving demands sized to the institution. Krebs notes affected schools are scrambling to comply with state student-privacy laws while negotiating with attackers.

instructure canvas shinyhunters follow-up mass-extortion 8800-schools powerschool-comparison ferpa coppa state-student-privacy-laws krebs

Check: If your school uses Canvas, check whether you've received any direct extortion communications referencing real Canvas data since May 4. Audit Canvas API access logs for bulk data exports between February and April.
Affected: 8,800+ schools, universities, and corporate training organizations using Canvas. K-12 districts face acute risk under state student-privacy laws (NY 2-d, California SOPIPA, ~130 similar statutes) plus COPPA for under-13 student data. Universities face FERPA exposure. Smaller institutions without legal counsel are most likely to pay rather than report.
Fix: Do not respond directly to extortion communications - report to FBI IC3 first and consult legal counsel before any contact. Notify affected students, parents, and faculty per state notification timelines (most require 30-60 days). Issue COPPA and FERPA notifications where applicable. Rotate Canvas API keys and re-authorize integrations. Track Instructure's response separately - many schools report the vendor unresponsive on individual cases.

breach

2026-05-03

Hackers tell schools to pay by Tuesday or 275 million students' messages and IDs go public - Canvas operator Instructure confirms breach

Update on the Instructure breach we covered May 2: Instructure confirmed Saturday that names, email addresses, student ID numbers, and private messages between students and teachers were exposed. ShinyHunters now claims 275 million individuals across 9,000 schools worldwide are in the dataset, totaling 3.65+ TB of data including billions of private messages. The group set a pay-or-leak deadline of May 6 - this Tuesday. The Salesforce instance was also breached. This is Instructure's second breach in eight months. PowerSchool's January 2025 breach with similar scope produced a $17.25 million settlement.

instructure canvas shinyhunters 275m-records 9000-schools follow-up may-6-deadline salesforce second-breach powerschool-comparison coppa ferpa

Check: If your school or organization uses Canvas, prepare your student/parent breach notification template this week - Instructure data is likely to be public by Tuesday.
Affected: Schools, universities, and corporate training organizations using Canvas - 9,000 institutions globally, 275 million individuals. Acute risk for K-12 districts where data on under-13 students falls under COPPA and state student privacy laws (NY Education Law 2-d, California SOPIPA, ~130 similar state statutes). Salesforce-integrated Canvas tenants face additional exposure.
Fix: Rotate every Canvas API key and re-authorize integrations as Instructure has now mandated. Pull your district's Canvas data-sharing inventory and identify which downstream tools held copies. For K-12: prepare COPPA and state-AG notification templates now - PowerSchool's breach triggered class actions in 11 states. Brief students, parents, and faculty that any 'Canvas account verification' email this week is potentially hostile.