RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: education (2 articles)Clear
breach
2026-05-13

Instructure paid ShinyHunters' ransom to stop the 3.65TB Canvas data leak, and the US Congress launched an inquiry the same day

Update on the Canvas breach covered May 4, 8, and 12: Instructure paid an undisclosed ransom to ShinyHunters on Tuesday to stop publication of the 3.65 TB dataset covering 8,809 educational organizations and 275 million students and staff. Hours later, the US House Education Committee launched a formal inquiry requesting testimony from Instructure leadership about the breach and the decision to pay. This is the largest known education-sector ransom payment. The FBI's 'don't pay' guidance now collides with Congressional scrutiny of the payment decision.

instructurecanvasshinyhuntersransom-paidus-congresseducationfollow-upferpacoppa3-65tb275m-records
Check
Contact Instructure for written confirmation your school's data is off the leak schedule. Check Canvas API logs for bulk exports between February and April.
Affected
8,809 schools, universities, and training organizations on Canvas. K-12 districts face state student-privacy obligations (NY 2-d, SOPIPA, ~130 statutes) independent of payment. Universities face FERPA obligations.
Fix
Issue COPPA and FERPA notifications per state timelines regardless of ransom payment - the data was already exposed before the deal. Rotate Canvas API keys and re-authorize integrations.
breach
2026-04-26

Udemy customer and instructor data leaked publicly after ShinyHunters' extortion deadline expires - 1.4 million records including PayPal payout details

Online learning giant Udemy's customer and instructor data was leaked publicly today after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1.4 million unique email addresses. The dataset goes well beyond contact information: it includes full names, physical addresses, phone numbers, employer details, and instructor payout methods - PayPal email addresses, mailing addresses for cheques, and bank transfer details. Udemy was listed on ShinyHunters' 'pay or leak' portal April 24 with a three-day deadline. The company has not publicly confirmed the breach or said how attackers got in.

udemyshinyhuntersextortioninstructor-payoutspaypaleducationleak-confirmed
Check
Reset your Udemy password if you have an account, especially if you're an instructor with payout details on file, and watch for highly targeted phishing.
Affected
Udemy customers and instructors with accounts before April 2026, particularly instructors whose PayPal addresses, cheque mailing addresses, and bank transfer details are in the leak. Any organization using Udemy for staff training has employee details exposed and should expect tailored phishing referencing real course history.
Fix
Reset Udemy passwords and rotate any password reused on other accounts. Instructors should monitor PayPal and bank accounts and contact PayPal to flag the email as compromised. Brief staff that any 'Udemy' email referencing their real course history is potentially hostile - go to udemy.com directly rather than clicking links. Add Udemy lookalike domains to your DMARC monitoring.