Instructure, the Utah-based company behind the Canvas learning management system, said on Monday evening that it has "reached an agreement" with ShinyHunters, the criminal hacking group that breached the platform twice in two weeks, stole 3.65 terabytes of data affecting 275 million people across nearly 9,000 educational institutions, and defaced login pages at hundreds of universities during finals week.
The company said it received "digital confirmation of data destruction" through shred logs and assurances that no customers would be extorted. It did not disclose financial terms. A listing for Instructure on ShinyHunters' data leak site was subsequently removed, a pattern consistent with ransom payment. The FBI said it was "aware" of the disruptions and urged victims not to pay.
The agreement, whatever its terms, sets a troubling precedent for the education sector, and the sequence of events that led to it is a case study in how not to handle a data breach.
The timeline is damning. On 29 April, ShinyHunters exploited a vulnerability in Canvas's Free-for-Teacher accounts to gain access to Instructure's systems. On 1 May, the company acknowledged a cybersecurity incident. On 2 May, it said the breach had been contained.
On 3 May, ShinyHunters published a ransom note claiming 275 million records and billions of private messages between students and teachers, and gave Instructure until 6 May to make contact. Instructure did not respond. Instead, it applied security patches, declared the incident closed on its status page, and told schools Canvas was back to normal.
On 7 May, ShinyHunters breached the company a second time, using the same vulnerability class, and injected a defacement message across approximately 330 institutional Canvas login pages.
Students at Harvard, Columbia, Princeton, Penn, Duke and Arizona State University, many of them in the middle of final examinations, were greeted by a ransom note when they tried to access their coursework.
Universities scrambled to suspend Canvas access, postpone exams and extend assignment deadlines. Instructure took the platform offline globally.
The second breach exposed the inadequacy of the company's initial response. ShinyHunters wrote in its ransom note that Instructure had "ignored us and done some security patches" rather than engaging.
Security researchers at Halcyon, the anti-ransomware firm, noted that the hackers' pivot to direct school-by-school extortion, setting individual deadlines and inviting institutions to negotiate their own settlements, was a deliberate escalation designed to generate maximum pressure from Instructure's own customers.
The pressure worked. By Monday evening, Instructure's chief executive, Steve Daly, had issued an apology for the company's lack of transparency and announced the agreement.
The deal raises more questions than it answers. ShinyHunters is a loosely organised, financially motivated extortion group with documented operational overlap with Scattered Spider and LAPSUS$. Mandiant, Google's cyber-intelligence unit, described its members as predominantly teenagers and young adults based in the United States and the United Kingdom. A member was sentenced by the US Department of Justice in 2024 for posting stolen data from more than 60 companies on dark web forums.
Taking a criminal group's assurance that stolen data has been destroyed at face value requires a level of trust that the cybersecurity community regards as naive. Allison Nixon, chief research officer at security consultancy Unit 221B, argued that companies should not pay ShinyHunters, saying the group has a track record of continued engagement with stolen data even after receiving payment.
The stolen information included names, institutional email addresses, student ID numbers, course enrolments and Canvas inbox messages, the private communications between students and teachers that represent some of the most sensitive data in any educational institution.
The exposure of billions of private messages creates a long-tail risk of targeted phishing, social engineering and identity fraud that no ransom payment can remediate. The data may have been copied, shared or sold before any destruction took place.
For the education sector, the incident is a reminder of a structural vulnerability that has been growing for years. Schools have consolidated their digital infrastructure around a small number of cloud-based platforms, Canvas, Blackboard, Google Classroom, creating single points of failure that affect millions of users when breached.
Canvas alone is used by 41% of American higher education institutions. When one company's security fails, the disruption cascades across thousands of schools simultaneously.
Related reading
- OpenAI is outmanoeuvring Anthropic on cyber diplomacy, and Europe is the prize
- Google catches hackers using AI to build a zero-day exploit for the first time, confirming the threat the cyb…
- Hackers hijack Canvas login pages to demand ransom from thousands of schools worldwide
Instructure is owned by Thoma Bravo, the private equity firm that acquired it in 2020 for $2 billion. The company has not disclosed whether leadership changes will follow the breaches, and spokesperson Brian Watkins did not respond to requests for comment. The FBI has mobilised resources across multiple states to assist affected institutions.
The agreement with ShinyHunters may buy Instructure time, but it does not buy its customers' safety. The data is in the wild. The vulnerability class that enabled both breaches has been demonstrated. And the precedent that paying works has been established for every criminal group watching.
The recap
- Instructure reached an agreement with hackers who breached Canvas.
- Hackers claimed they stole data for 275 million people.
- Instructure is investigating and validating its breach findings.