Instructure Pays ShinyHunters to Halt Leak of 30M Canvas User Records
Edtech giant Instructure has reached an agreement with the ShinyHunters extortion group to prevent the leak of 3.6TB of data stolen from its Canvas LMS platform, affecting over 30 million users.
Instructure, the company behind the widely used Canvas learning management system has confirmed it reached an agreement with the ShinyHunters extortion group to prevent the public release of data stolen in a recent breach. The cybercrime gang claimed to have exfiltrated more than 3.6TB of uncompressed data including usernames email addresses course names enrollment information and messages from over 30 million educators and students across more than 8000 schools and universities worldwide.
In a Tuesday statement Instructure said ShinyHunters returned the stolen data and provided shred logs confirming its destruction. The company stated that no Instructure customers will be extorted as a result of this incident publicly or otherwise and that the agreement covers all impacted customers. ShinyHunters has now removed the Instructure entry from its data leak site a move that typically follows ransom payments.
However as the FBI has repeatedly warned paying a ransom does not guarantee that threat actors will not also sell the stolen data to other cybercriminals or attempt to extort the victims again. The company acknowledged the unsettling nature of the situation and said protecting its community remains its top priority. Instructure leadership will share more information regarding the incident and security measures in a May 13 webinar.
Instructure confirmed to BleepingComputer that ShinyHunters exploited a security issue in the Free-for-Teacher environment a free limited version of Canvas LMS for individual educators to steal the data. The cybercrime group also hacked Instructure again on May 7 using the same vulnerability to deface Canvas login portals and leave an extortion message warning that the company and its customers had until May 12 to enter negotiations to pay a ransom.
Although the company did not share further technical details BleepingComputer learned that the attacker exploited multiple cross-site scripting XSS vulnerabilities. ShinyHunters injected malicious JavaScript to exploit Canvas XSS flaws in user-generated content features which allowed them to obtain authenticated admin sessions and perform privileged actions. The unauthorized actor made changes to pages that appeared when some students and teachers were logged in through Canvas.
Since the incident Instructure has temporarily shut down Free-for-Teacher accounts and said it is working to resolve these security issues to prevent future incidents. Canvas has been restored and is fully back online and available for use. The company recommends that customers continue normal monitoring of their Canvas environments integrations and administrative activity.
This is not the first time ShinyHunters has targeted Instructure. In September 2025 the company disclosed another breach also claimed by ShinyHunters that allowed attackers to access data in the edtech giant Salesforce instance. The group has recently claimed responsibility for breaches at Google Cisco PornHub the European Commission Match Group Rockstar Games ADT Vimeo McGraw-Hill Medtronic and Zara.