Instructure paid ShinyHunters' ransom to stop the 3.65TB Canvas data leak, and the US Congress launched an inquiry the same day

Update on the Canvas breach covered May 4, 8, and 12: Instructure paid an undisclosed ransom to ShinyHunters on Tuesday to stop publication of the 3.65 TB dataset covering 8,809 educational organizations and 275 million students and staff. Hours later, the US House Education Committee launched a formal inquiry requesting testimony from Instructure leadership about the breach and the decision to pay. This is the largest known education-sector ransom payment. The FBI's 'don't pay' guidance now collides with Congressional scrutiny of the payment decision.

Check

Contact Instructure for written confirmation your school's data is off the leak schedule. Check Canvas API logs for bulk exports between February and April.

Affected

8,809 schools, universities, and training organizations on Canvas. K-12 districts face state student-privacy obligations (NY 2-d, SOPIPA, ~130 statutes) independent of payment. Universities face FERPA obligations.

Fix

Issue COPPA and FERPA notifications per state timelines regardless of ransom payment - the data was already exposed before the deal. Rotate Canvas API keys and re-authorize integrations.