Lawmakers are seeking answers from educational technology vendor Instructure, following the high-profile compromise of the company’s Canvas learning management system (LMS) that left thousands of schools and universities without grade reporting and other functions this month.
The House Committee on Homeland Security this week requested Instructure appear before the committee for a briefing on the recent attacks against the edtech company. In a letter to Instructure CEO Steve Daly, the committee questioned why the company was breached twice in the span of a week by the infamous ShinyHunters cybercrime group. Also likely on the docket will be the questions of whether it paid a ransom to the cyberattackers, and whether the incident is related to another attack on its Salesforce environment last fall.
“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” committee chairman Andrew R. Garbarino (R-NY) wrote in the letter, requesting the company meet with members no later than May 21.
Instructure disclosed the initial breach May 1, acknowledging that threat actors had obtained “certain identifying information of users,” including names, emails, student ID numbers, and private messages. ShinyHunters, meanwhile, claimed it possessed more than 3TB of sensitive data from Instructure users representing more than 9,000 educational institutions.
Instructure temporarily took Canvas offline to investigate, and then declared the intrusion “resolved” May 6 and that its LMS was “fully operational.” But the following day, ShinyHunters returned, compromising Canvas and posting a ransom demand on the platform login pages.
The ongoing threat activity has raised questions from lawmakers about Instructure’s response to the initial attack, how the company resolved the matter, and — perhaps most importantly — when it was first breached by ShinyHunters.
Did Instructure Pay the ShinyHunters Ransom?
In a similar letter to Instructure on Tuesday, the US Senate Committee on Health, Education, Labor, and Pensions said it was investigating the attacks and posed a litany of questions to Daly, including the types of data affected by the breach and the security improvements it has made in the aftermath. The committee’s letter pressed the edtech company about its May 11 statement in which Instructure said it “reached an agreement” with the threat actor behind the attacks.
“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” Instructure said in the update, adding that the stolen data was “returned” and attackers provided digital confirmation of its destruction. “This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”
While the company did not admit to paying a ransom, that’s the most likely scenario, as ShinyHunters removed Instructure’s listing from its data leak site — a move ransomware and data extortion groups typically reserve for victim organizations that pay up. ShinyHunters also issued a statement May 13, saying the group had nothing more to add to the “recent situation at the LMS company” and there was no need for impacted organizations to contact ShinyHunters directly anymore.
The Senate committee’s letter also raised questions about “a previous cybersecurity incident in September 2025,” and what remedial steps were taken following that attack. The incident in question resulted from a compromise of the company’s Salesforce instance, which was disclosed Sept. 21, 2025. Scattered Lapsus$ Hunters, a cybercriminal collective apparently composed of members of Scattered Spider, Lapsus$, and ShinyHunters, listed Instructure on their leak site at the time, as part of a spate of Salesforce incursions last fall that also included companies like Chanel and Qantas Airways. But the culprit behind the attack, as well as many or the other Salesforce breaches, was UNC6040, a threat actor tied to ShinyHunters, according to Google Threat Intelligence Group researchers.
Regardless, it all raises the question of whether data from the Salesforce attack was used to carry out this month’s offensive; the answer is unclear, but researchers are emphasizing that the company was clearly earmarked as a repeat target, which in and of itself is concerning.
Instructure Fails to Keep Attackers at Bay After Salesforce
Following the Salesforce breach in September 2025, which Instructure said stemmed from a social engineering attack, the edtech company said it “moved quickly to contain the activity” and conducted a thorough investigation with third-party experts. “Subsequently, we have implemented additional security measures to help prevent similar incidents in the future,” the company said in the disclosure. Dark Reading contacted Instructure for comment on whether Salesforce breach was connected to the recent attacks, but the company did not respond at press time.
In a blog post this week, Abbas Kudrati, chief identity security advisor at Silverfort, wrote that ShinyHunters’ recent activity was “categorically different” compared to the September attack, which was limited to the Salesforce instance. However, “This shows that ShinyHunters views Instructure as a high-value target worth revisiting — and any institution relying on Canvas should assume the same targeting could happen again,” Kudrati wrote.
Roy Akerman, vice president of identity security strategy at Silverfort, tells Dark Reading that it’s typical for threat actors like ShinyHunters to collect as much data as possible from a compromise and use it to their full advantage for a follow-up attack. But the bigger question for Instructure, he says, is what the company did once it detected malicious activity inside its environment.
“The story to me is that attackers are persistent, and it doesn’t really matter if they found one piece [of data] that was re-used or not,” Akerman says. “Maybe for the legislators, it will matter because it will show negligence or something like that. But I believe at the end of the day, if you’re under attack then you need to get yourself into a different mode, and you need to assume that one day they’ll place a foothold in your organization. And what’s your play then?”
Presumably, Instructure will appear before lawmakers in the near future, although it’s unclear if the briefings will be public. In the meantime, Silverfort urged customers to monitor their environments in real time for anomalous authentication behavior and other signs of lateral movement. “The window between initial compromise and significant damage is often hours,” Kudrati said.
Don’t miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!
