Instructure Pays Ransom to ShinyHunters After 3.65TB Canvas Data Breach
Instructure, the parent company of Canvas, has paid an undisclosed ransom to the ShinyHunters extortion group to prevent the leak of 3.65TB of data stolen from nearly 9,000 educational institutions.
Instructure, the parent company of the widely used Canvas learning management system, has confirmed it said on Monday that it reached an agreement with the ShinyHunters cybercrime group after the attackers breached its network and stole 3.65TB of data from nearly 9,000 schools and universities. The company paid an undisclosed ransom to prevent the public release of the stolen data, which included approximately 275 million records containing usernames, email addresses, course names, enrollment information, and internal messages.
The breach, first wave of the attack occurred in late April 2026, when ShinyHunters exploited an unspecified vulnerability in Instructure's Free-for-Teacher environment to gain initial access. The attackers weaponized a flaw related to support tickets to siphon data from the environment, which is a separate instance from the main Canvas production platform. Instructure has emphasized that course content, student submissions, and credentials were not compromised credentials were not part of the exfiltration.
A second wave of unauthorized activity was detected on May 7, 2026, when the attackers defaced Canvas login portals at roughly 330 institutions with extortion messages. The messages gave Instructure a deadline of May 12, 2026, to negotiate a ransom or risk a full data leak. The company said it reached an agreement with the threat actor on Monday, citing concerns about the potential publication of data.
"While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," Instructure said in a statement. The company added that the pilfered data has been returned to it, along with digital confirmation of data destruction, and that none of its customers will be separately extorted as a result of the hack.
In response to the breach, Instructure has temporarily shut down all Free-For-Teacher accounts, revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and deployed additional security controls. The company did not disclose the nature of the vulnerability but said it is working with expert vendors to support its forensic analysis and improve its cybersecurity posture.
The incident highlights the growing threat of extortion-focused cyberattacks against the education sector, which has become a prime target for ransomware groups due to its often limited security budgets and the sensitivity of the data it holds. Halcyon, a cybersecurity firm, warned that the exfiltrated data provides threat actors enough personal context to conduct targeted phishing campaigns against staff, students, and parents alike.
"Leaked records can be used to impersonate school administrators, IT support, or financial aid offices in follow-on attacks," Halcyon said. "Students, parents, and personnel at affected institutions should be considered, and institutions should issue phishing advisories and direct communications immediately."
The decision to pay the ransom is a controversial one, as it may encourage further attacks against the education sector. However, Instructure argued that it was necessary to protect its customers from the potential harm of a data leak. The company's stock price fell sharply following the disclosure of the breach, but has since recovered somewhat after the announcement of the ransom agreement.