HOMELAND Security wants to know about the Instructure breach, and DataBreaches[.]net continues to track the Navigate360 incident, which has drawn Congressional inquiries due to the scale of sensitive data exposed. Instructure disclosed that ShinyHunters gained access in April by exploiting multiple cross-site scripting vulnerabilities in the Free-for-Teacher environment, and later announced a deal with the group after threatening to leak more than 3 TB of data from 275 million students and 9,000 schools.
On 7 May, ShinyHunters attacked Instructure again, defacing the Canvas login page and prompting an immediate takedown as most students were in Finals week. The same outlet notes that Navigate360’s breach involved the BlueLeaks 2.0 dataset of tips reportedly destined for law enforcement and other programmes, with data including tips about serious crimes visible in plain text.
DataBreaches[.]net emphasises that the full dataset remains in the hands of two criminals and could be leaked or sold at any moment, despite Navigate360’s public silence. An update mentions a planned webinar with Instructure leadership on 13 May to detail the response and hardening efforts.