Instructure, the company behind the online learning platform Canvas, said it reached an agreement with the extortion group ShinyHunters to prevent data stolen in a recent breach from being leaked online.
According to the company’s website, Canvas has more than 30 million active users worldwide and serves more than 8,000 institutions.
Although Instructure did not disclose the terms of the arrangement, the statement strongly suggests a ransom payment was made.
“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority,” Instructure said.
“With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident.”
The agreement included the return of the stolen data, digital confirmation that the data had been destroyed, assurances that affected customers would not be extorted, and a commitment that individual institutions would not need to engage with the threat actor.
“While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company added.
This is exactly the problem with paying a ransom: once attackers have your data, there is no assurance it was not copied or shared with others. When dealing with criminals, all you really have is their word.
Instructure stated it continues to work with external forensic experts to analyze the incident, strengthen the security of its environment, and assess the scope of the compromised data.
How the Canvas hack unfolded
The extortion group ShinyHunters claimed responsibility for a breach of Instructure’s Canvas learning management system on April 25, 2026, alleging the theft of 3.65 TB of data tied to approximately 275 million records across 8,809 educational institutions.
The data included student and staff names, email addresses, student identification numbers, and internal communications.
On April 29, Instructure detected unauthorized activity in its Canvas platform, revoked the attacker’s access, launched an investigation, and engaged external forensic experts.
On May 7, after the initial negotiation deadline expired, ShinyHunters defaced Canvas login portals at about 330 institutions and began directly extorting individual schools, giving them until May 12, 2026, to respond.
Instructure later tied both incidents to a vulnerability in Free-For-Teacher accounts, a free version of Canvas intended for individual educators. The company temporarily shut down the service while investigating the issue and deploying security fixes.
