Congress Puts Heat on Instructure After Canvas Outage TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityAttackers Weaponize RubyGems for Data Dead DropsAttackers Weaponize RubyGems for Data Dead DropsbyAlexander CulafiMay 13, 20264 Min ReadСloud SecurityLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyLatAm Vibe Hackers Generate Custom Hacking Tools on the FlybyAlexander CulafiMay 13, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesIdentity & Access Management SecurityCyber RiskVulnerabilities & ThreatsNewsCongress Puts Heat on Instructure After Canvas OutageThe House Committee on Homeland Security sent a letter about the Canvas cyberattack, the same day that the edtech company said it reached an "agreement" with the ShinyHunters cybercriminals.Rob Wright,Senior News Director,Dark ReadingMay 14, 20266 Min ReadSource: pictoKraft via Alamy stock photoLawmakers are seeking answers from educational technology vendor Instructure, following the high-profile compromise of the company's Canvas learning management system (LMS) that left thousands of schools and universities without grade reporting and other functions this month. The House Committee on Homeland Security this week requested Instructure appear before the committee for a briefing on the recent attacks against the edtech company. In a letter to Instructure CEO Steve Daly, the committee questioned why the company was breached twice in the span of a week by the infamous ShinyHunters cybercrime group. Also likely on the docket will be the questions of whether it paid a ransom to the cyberattackers, and whether the incident is related to another attack on its Salesforce environment last fall."The recurrence of an intrusion within days of an initial breach disclosure, and Instructure's apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds," committee chairman Andrew R. Garbarino (R-NY) wrote in the letter, requesting the company meet with members no later than May 21.Related:Cyber Pioneers Ponder Past as PrologueInstructure disclosed the initial breach May 1, acknowledging that threat actors had obtained "certain identifying information of users," including names, emails, student ID numbers, and private messages. ShinyHunters, meanwhile, claimed it possessed more than 3TB of sensitive data from Instructure users representing more than 9,000 educational institutions.Instructure temporarily took Canvas offline to investigate, and then declared the intrusion "resolved" May 6 and that its LMS was "fully operational." But the following day, ShinyHunters returned, compromising Canvas and posting a ransom demand on the platform login pages.The ongoing threat activity has raised questions from lawmakers about Instructure's response to the initial attack, how the company resolved the matter, and —  perhaps most importantly — when it was first breached by ShinyHunters.Did Instructure Pay the ShinyHunters Ransom?In a similar letter to Instructure on Tuesday, the US Senate Committee on Health, Education, Labor, and Pensions said it was investigating the attacks and posed a litany of questions to Daly, including the types of data affected by the breach and the security improvements it has made in the aftermath. The committee's letter pressed the edtech company about its May 11 statement in which Instructure said it "reached an agreement" with the threat actor behind the attacks. Related:'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine"We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise," Instructure said in the update, adding that the stolen data was "returned" and attackers provided digital confirmation of its destruction. "This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor."While the company did not admit to paying a ransom, that's the most likely scenario, as ShinyHunters removed Instructure's listing from its data leak site — a move ransomware and data extortion groups typically reserve for victim organizations that pay up. ShinyHunters also issued a statement May 13, saying the group had nothing more to add to the "recent situation at the LMS company" and there was no need for impacted organizations to contact ShinyHunters directly anymore. The Senate committee's letter also raised questions about "a previous cybersecurity incident in September 2025," and what remedial steps were taken following that attack. The incident in question resulted from a compromise of the company's Salesforce instance, which was disclosed Sept. 21, 2025. Scattered Lapsus$ Hunters, a cybercriminal collective apparently composed of members of Scattered Spider, Lapsus$, and ShinyHunters, listed Instructure on their leak site at the time, as part of a spate of Salesforce incursions last fall that also included companies like Chanel and Qantas Airways. But the culprit behind the attack, as well as many or the other Salesforce breaches, was UNC6040, a threat actor tied to ShinyHunters, according to Google Threat Intelligence Group researchers. Related:Foxconn Attack Highlights Manufacturing's Cyber CrisisRegardless, it all raises the question of whether data from the Salesforce attack was used to carry out this month's offensive; the answer is unclear, but researchers are emphasizing that the company was clearly earmarked as a repeat target, which in and of itself is concerning.Instructure Fails to Keep Attackers at Bay After SalesforceFollowing the Salesforce breach in September 2025, which Instructure said stemmed from a social engineering attack, the edtech company said it "moved quickly to contain the activity" and conducted a thorough investigation with third-party experts. "Subsequently, we have implemented additional security measures to help prevent similar incidents in the future," the company said in the disclosure. Dark Reading contacted Instructure for comment on whether Salesforce breach was connected to the recent attacks, but the company did not respond at press time. In a blog post this week, Abbas Kudrati, chief identity security advisor at Silverfort, wrote that ShinyHunters' recent activity was "categorically different" compared to the September attack, which was limited to the Salesforce instance. However, "This shows that ShinyHunters views Instructure as a high-value target worth revisiting — and any institution relying on Canvas should assume the same targeting could happen again," Kudrati wrote.Roy Akerman, vice president of identity security strategy at Silverfort, tells Dark Reading that it's typical for threat actors like ShinyHunters to collect as much data as possible from a compromise and use it to their full advantage for a follow-up attack. But the bigger question for Instructure, he says, is what the company did once it detected malicious activity inside its environment."The story to me is that attackers are persistent, and it doesn't really matter if they found one piece [of data] that was re-used or not," Akerman says. "Maybe for the legislators, it will matter because it will show negligence or something like that. But I believe at the end of the day, if you're under attack then you need to get yourself into a different mode, and you need to assume that one day they'll place a foothold in your organization. And what's your play then?"Presumably, Instructure will appear before lawmakers in the near future, although it's unclear if the briefings will be public. In the meantime, Silverfort urged customers to monitor their environments in real time for anomalous authentication behavior and other signs of lateral movement. "The window between initial compromise and significant damage is often hours," Kudrati said.Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob WrightWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsHow Security Teams should apply Threat Intelligence into their DefensesThurs, June 11, 2026 at 1pm ESTYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Lawmakers have intensified scrutiny of Instructure following the compromise of its Canvas learning management system, which exposed thousands of educational institutions to significant disruption. The House Committee on Homeland Security initiated this inquiry by requesting a briefing for Instructure CEO Steve Daly regarding the recent attacks perpetrated by the ShinyHunters cybercrime group. The committee specifically questioned why the company experienced multiple breaches by the same threat actor within a single week and sought clarification on whether a ransom was paid, as well as the relationship between the Canvas incident and a previous security incident involving Instructure's Salesforce environment.

Instructure publicly disclosed the initial breach on May 1, admitting that threat actors obtained identifying user information, including names, emails, student ID numbers, and private communications. ShinyHunters subsequently claimed possession of over three terabytes of sensitive data belonging to more than nine thousand educational institutions. While Instructure indicated in a subsequent update that they had reached an agreement with the threat actor and that the stolen data had been returned and confirmed destroyed, the lack of admission regarding ransom payment suggests the attackers likely seized the opportunity.

The scrutiny extended to Instructure's incident response capabilities, as committee members questioned how the company managed the intrusion and failed to fully remediate underlying vulnerabilities during the initial period of the breach. This questioning was further complicated by references to a prior cybersecurity incident in September 2025, which involved a compromise of Instructure's Salesforce instance. This September incident, which was attributed to the threat actor UNC6040, is linked to the same collective, Scattered Lapsus$ Hunters, and represents another instance where Instructure was targeted.

Cybersecurity experts provided context regarding the persistence of threat actors and the priorities for organizational defense. Abbas Kudrati, chief identity security advisor at Silverfort, noted that the activity of ShinyHunters was distinct from the September compromise, although this demonstrated that Instructure remains a high-value target. Roy Akerman, vice president of identity security strategy at Silverfort, emphasized that threat actors aim to maximize data collection from a single compromise for follow-up attacks, stressing that the critical focus for organizations should be on their response protocols once malicious activity is detected and assuming future footholds. Experts warned that the window between initial compromise and significant damage can be extremely short, often measured in hours. Although public hearings were not yet confirmed, Silverfort urged customers to implement real-time monitoring for anomalous authentication behavior to mitigate ongoing risks.