Identity , Decentralized identity and verifiable credentials House committee chair calls on Instructure to testify in Canvas hack May 13, 2026 Share By Steve Zurier (Adobe Stock) It’s fair to say, Instructure, makers of the popular educational software platform Canvas, has had its name in the headlines this week. The company made the news in early May after it was hacked twice by Shiny Hunters, a series of incidents that wreaked havoc, causing outages and data loss during finals week across 9,000 colleges and about 30 million students worldwide. Instructure also admitted publicly it negotiated with the hackers and reached a settlement that claimed the stolen data was returned. The financial terms of the settlement have yet to have been disclosed. Rep. Andrew Garbarino, R-N.Y., sent Instructure CEO Steve Daly a letter on May 11 requesting him to appear before the House committee he chairs, the Homeland Security Committee , before May 21. “The Committee takes seriously both the harm to students and educational institutions caused by this incident and the broader implications for how the educational technology sector manages and discloses cybersecurity risks,” wrote Garbarino in the letter. “We look forward to a candid and informative exchange.” Related reading: Multiple other companies purportedly breached by ShinyHunters, over 9M record leak warned Amtrak allegedly breached by ShinyHunters, massive data leak threatened ShinyHunters alleges Kemper Corporation hack, exposes over 13M records In responses to the news from cybersecurity pros, many pointed out how the first hack was identity-based, while the second hack included multiple exploits of cross-site scripting (XSS) bugs. Identity hacks are much more common today, but XSS has been on the OWASP Top 10 list for at least two decades, not exactly an unknown bug. Amir Khayat, co-founder and CEO or Vorlon, explained that Shiny Hunters took down Canvas in two attacks. The first came April 29 and Instructure said it was resolved. Eight days later the login page was replaced with a ransom demand or else the hackers would release 3.65 terabytes of student data. Khayat said the point here is that Canvas runs on 41% of North American higher education networks. One breach does not touch one school, it touches every institution that trusted the same vendor. “ShinyHunters used cross-site scripting vulnerabilities to hijack authenticated admin sessions,” said Khayat. “XSS is one of the oldest, most documented vulnerability classes in existence. This is not a sophisticated nation-state exploit. It is the kind of flaw that shows up in every foundational security audit.” Kevin Surace, chair at TokenCore, pointed out the valuable student data appears to have been stolen before the public XSS defacement. That first and more serious breach was likely an identity compromise involving privileged access, stolen credentials, stolen tokens, compromised MFA, or some combination of those,” said Surace. Surace said the later XSS attack appears to have been used to intimidate Instructure. XSS lets an attacker inject JavaScript into a trusted application context. Surace said if that script executes inside an authenticated Canvas session, it can potentially read session state, make requests as the logged in user, modify visible pages, or abuse whatever permissions that session already has. “That means this was not merely a web bug,” said Surace. “It was a failure of input validation, browser side containment, session isolation, and privilege separation.” Denis Calderone, Principal/CTO at Suzu Labs, said what happened is straightforward: ShinyHunters injected malicious JavaScript into content fields in Canvas's Free-for-Teacher environment. Because user input wasn't being properly sanitized or encoded on output, that JavaScript executed in the context of authenticated admin sessions. Once there’s an admin session, the hackers own the platform, said Calderone, allowing exfiltration of sensitive data and later the ability to rewrite login pages across hundreds of institutions. “We're spending enormous energy on AI threats and novel attack chains while stored XSS, SQL Injection flaws and Buffer overflows are still taking down critical infrastructure in education,” said Calderone. “Input validation, output encoding, content security policy headers, these aren't emerging technologies. They're baseline hygiene. If your application accepts user-generated content and renders it back to other users, you need to be running regular application penetration testing, not just automated scans, actual manual testing by people who think like attackers.” Steve Zurier Related Identity ‘Mini’ Shai-Hulud attack compromises hundreds of npm, PyPI packages Steve Zurier May 12, 2026 Teams warn the latest Shai-Hulud wave weaponizes trusted OIDC tokens to bypass package integrity checks. Identity SailPoint GitHub repo hit by third-party cyberattack Steve Zurier May 11, 2026 SailPoint says GitHub repo breach exposed no customer data or production systems. Identity Most passwords can be cracked in under a minute, Kaspersky finds SC Staff May 11, 2026 Kaspersky researchers analyzed a dataset of 231 million unique passwords leaked on the dark web between 2023 and 2026. Related Events Cybercast IAM for MSSPs: Real-World Deployments Mon May 18 Cybercast Privilege risk is in the lifecycle: A CISO discussion on modernizing identity control On-Demand Event Cybercast The industrialization of identity compromise On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Access Matrix Basic Authentication Biometrics Certificate-Based Authentication Challenge-Handshake Authentication Protocol (CHAP) Digest Authentication Digital Certificate Discretionary Access Control (DAC) You can skip this ad in 5 seconds