Instructure Pays Ransom to ShinyHunters After Canvas Data Breach Exposes 275 Million Records
Instructure, the company behind the Canvas learning platform, confirmed it paid an undisclosed ransom to the ShinyHunters extortion group to recover 3.65 TB of stolen data affecting 275 million records across 8,809 institutions.
Instructure, the company behind the widely-used Canvas learning management system, has confirmed it reached an agreement with the extortion group ShinyHunters to prevent the public release of data stolen in a massive breach. The breach, disclosed on April 25, 2026, involved the theft of 3.65 TB of data—approximately 275 million records—from 8,809 educational institutions worldwide. The stolen data included student and staff names, email addresses, student identification numbers, and internal communications.
According to a statement from Instructure, the agreement included the return of the stolen data, digital confirmation that the data had been destroyed, assurances that affected customers would not be extorted, and a commitment that individual institutions would not need to engage with the threat actor. While Instructure did not explicitly confirm a ransom payment, the language strongly suggests one was made. “We know that concerns about the potential publication of data related to this incident remain top of mind for many customers,” the company said. “With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident.”
The attack unfolded over several weeks. On April 25, ShinyHunters claimed responsibility for the breach. On April 29, Instructure detected unauthorized activity in its Canvas platform, revoked the attacker’s access, and launched an investigation with external forensic experts. On May 7, after the initial negotiation deadline expired, ShinyHunters defaced Canvas login portals at approximately 330 institutions and began directly extorting individual schools, giving them until May 12 to respond.
Instructure later traced the breach to a vulnerability in Free-For-Teacher accounts, a free version of Canvas intended for individual educators. The company temporarily shut down the service while investigating and deploying security fixes. The vulnerability allowed the attackers to gain access to the platform and exfiltrate vast amounts of data.
The decision to pay the ransom has drawn criticism from security experts, who note that paying does not guarantee the data has not been copied or shared. “This is exactly the problem with paying a ransom: once attackers have your data, there is no assurance it was not copied or shared with others. When dealing with criminals, all you really have is their word,” the company acknowledged in its statement.
Instructure stated it continues to work with external forensic experts to analyze the incident, strengthen the security of its environment, and assess the scope of the compromised data. The company has also notified affected institutions and is providing support. The breach underscores the persistent threat posed by extortion groups targeting educational institutions, which often hold sensitive data on millions of students and staff.