The Failure Pattern On April 30, tools depending on Canvas API keys started failing across thousands of institutions. Instructure's status page called it "limited disruption to tools relying on API keys." Canvas Data 2 and Canvas Beta went into maintenance. By May 1, the CISO confirmed a criminal threat actor had been in the environment. Containment was declared May 2. The confirmed data classes: names, institutional email addresses, student ID numbers, and Canvas inbox messages. Instructure explicitly states no passwords, government IDs, or financial data were involved. The forensic investigation is still running. ShinyHunters claimed responsibility May 3, asserting 3.65TB exfiltrated across 275 million users at roughly 9,000 institutions. Those figures are adversary self-reporting and unverified. The University of Pennsylvania confirmed approximately 306,000 affected users -- that's the only institution-level figure from a confirmed source so far. No CVE. No CISA advisory. No IOC list.…