The House isn’t happy. Lawmakers are demanding Instructure show up. They want testimony. Why? Because the education platform got hacked twice. Millions of students. Millions of teachers. All exposed.
And Instructure was slow. Very slow.
“Congress Wants Instructure to Answer Questions”
The deal with ShinyHunters looks good on paper. The hackers promised to destroy the stolen data. No more extortion. Just silence. Instructure said they received “shred logs” as proof. Digital confirmation, sort of.
But does anyone believe ransomware groups?
Rep. Andrew Garbarino chairs the Homeland Security Committee. He’s sending letters. He wants to know how coordination with CISA worked out. Was it adequate? The Cybersecurity and Infrastructure Security Agency helped contain the blast. Outside forensics experts, Instructure called them. Garbarino sees something missing in that narrative.
He’s a Republican from New York. He doesn’t care much for corporate evasion. His letter to CEO Steve Daly cuts right to the bone:
- How did they get in again?
- What exactly was stolen?
Usernames. Emails. Course names. Messages between teachers and kids. Enrollments. Instructure lists these like they’re minor inconveniences. They aren’t. These are lives.
The Double Tap
April 29. ShinyHunters slipped in. They used a flaw tied to “Free-For-Teacher” accounts. It’s a specific vector. A back door they kept open or maybe just found.
They scraped everything they could find.
Then they paused.
Until May 7. They hit again. This time they left a note. A digital taunt on the login screen. Instructure panicked. Well. They should have. Canvas went into maintenance mode. Students logged in. Nothing happened. Just a wall of code saying “try later.”
ShinyHunters claimed over 9,000 institutions were in their crosshairs. Universities. Public schools. K-12 everywhere. Which means minors. Underage kids’ data floating around the dark web. That’s a nightmare for privacy advocates. And for parents.
Who Are ShinyHunters Anyway?
If the name sounds familiar. Good. It should.
This isn’t a random kid with a laptop. It’s an organized collective. Ransomware veterans. They took on Anodot recently. They grabbed Rockstar Games business data back in April. Microsoft? Cisco? AT&T? They’ve looked there. Insurance companies? Credit unions? Anyone holding sensitive data is a target.
Instructure isn’t unique. Just high-profile.
Right now Canvas works. Mostly. Free-For-Teacher accounts are dead though. Temporarily disabled. Instructure says the forensics partner sees no active threat. The actors are out. Or at least. They are quiet.
A webinar is planned. Maybe for May 13? The dates keep shifting. The company points to their incident page for everything else. Standard PR move. Deflect. Refer to the blog post.
Paying the Ransom. Again.
Here’s the real controversy.
Instructure paid.
They reached an agreement. ShinyHunters deleted the data (allegedly). Instructure announced this deal proudly. Industry experts hate this. The FBI hates this.
“It normalizes the pattern for future criminals”
Troy Hunt runs Have I Been Pwned. He tracks breaches for a living. He thinks this is terrible advice. Paying criminals makes crime profitable. It sends a signal. Crime pays.
Why did they do it? Scale. Scope. Pressure from schools. Parents screaming about child safety. Instructure felt backed into a corner. Maybe they thought it was the only way to stop the leaks.
Hunt doesn’t buy the shred logs.
“There is never complete certainty,” Instructure’s website claims. Even they know this. Yet they called it a success.
Look at PowerSchool. Late 2024. They paid ShinyHunters. Got a video of the hackers burning hard drives (digitally). Did the data vanish? No. It surfaced later. Teachers got extorted individually. More money demanded. For the same data.
That pattern exists. It repeats.
Instructure thinks they dodged the bullet. The FBI thinks they fed the wolf. Troy Hunt thinks it’s a warning shot to every other company sitting on student data.
Are the copies gone?
Probably not.
ShinyHunters are experienced. They likely have backups. Offsite. Encrypted. Waiting for a new opening.
Instructure says no evidence of current access. The forensics partner says they are safe. But safe isn’t secure. And destroyed isn’t gone.
Millions of student records. Out there. Somewhere.
Waiting for the next demand.
