US House Committee Probes Instructure Following Canvas Cyberattacks

Federal Oversight into Instructure Canvas Incidents

The United States House Committee on Homeland Security has formally requested testimony from Instructure executives regarding two major security incidents affecting the Canvas Learning Management System (LMS). According to Bleeping Computer, lawmakers are seeking to understand the circumstances surrounding breaches occurring in May and June 2024, which were carried out by the ShinyHunters extortion group. The committee’s inquiry reflects growing concern over the vulnerability of educational technology platforms that handle sensitive student Information.

Chairman Mark Green, along with several subcommittee chairs, expressed alarm that these cyberattacks disrupted educational continuity, specifically during final exam periods. The committee’s request for an instructure canvas cyberattack testimony underscores the federal government’s increasing role in holding software providers accountable for the security of critical data in the public sector.

ShinyHunters Data Breach Impact on Schools

The threat actor responsible for these incidents, ShinyHunters, is a well-known group that frequently targets cloud-based services and databases to exfiltrate and sell data on illicit forums. In May 2024, Instructure reported that an unauthorized party gained access to a limited number of files via a compromised credential. By June 2024, the group claimed to have accessed more extensive datasets, subsequently listing student information for sale on the revived BreachForums platform.

This sequence of events highlights a common TTP used by extortion groups: leveraging stolen credentials to bypass traditional perimeters. The stolen data reportedly includes full names, email addresses, and internal user identifiers. For a modern SOC, the recurring nature of these incidents within a single quarter suggests either persistent access or an insufficiently contained initial compromise. This breach is particularly damaging because it targets minors and students, whose PII can be utilized for long-term identity theft or targeted Phishing campaigns.

Technical Analysis of Academic Disruption

While no specific CVE has been identified as the root cause, the incidents appear to stem from unauthorized access to administrative or high-privilege accounts. The disruption to final exams indicates that the attackers did not merely seek to exfiltrate data but also engaged in activities that impacted the availability of the LMS. For educational institutions, the loss of availability during peak academic windows can have cascading effects on grading, graduation timelines, and institutional reputation.

The committee’s investigation will likely focus on whether Instructure maintained adequate Zero Trust architectures and whether they had sufficient EDR or logging capabilities to detect the unauthorized movement within their cloud environment. The lack of public details on the specific exploitation vector suggests a need for deeper forensic transparency, which the House Committee intends to extract through their briefing.

How to Secure Canvas LMS Platform and Educational Infrastructure

To mitigate the risks associated with third-party LMS platforms, defenders must treat these services as critical components of their attack surface. Security teams should prioritize the following actions:

• Enforce Hardware-Based MFA: Move beyond SMS or push-based authentication for all administrative accounts to prevent credential-based takeovers.
• Audit Third-Party Integrations: Frequently review API permissions and integrations within the Canvas platform to ensure the principle of least privilege is applied.
• Centralized Log Monitoring: Integrate LMS audit logs into a SIEM to monitor for anomalous login locations or bulk data exports.
• Incident Response Planning: Update response playbooks to include specific scenarios for third-party software outages during high-stakes academic periods.

By adopting these measures, educational organizations can better protect student PII and ensure that even if a service provider is compromised, the impact on local operations is contained.