TL;DR
Instructure, the company behind Canvas, announced it has reached an agreement with the hackers responsible for two recent breaches. The hackers, ShinyHunters, claimed to have stolen data from nearly 275 million users but now say the data has been destroyed. The terms of the deal and whether ransom was paid remain undisclosed.
Instructure, the maker of the Canvas school information platform, has reached an agreement with the hackers who breached its systems twice, according to the company’s statement on Tuesday. The hackers, identified as ShinyHunters, claimed to have stolen data affecting hundreds of millions of students and staff, and had used the breaches to pressure the company into paying a ransom. The deal reportedly includes the hackers providing evidence that the stolen data was destroyed, although the financial terms remain undisclosed.
On Tuesday, Instructure confirmed that it had negotiated an agreement with ShinyHunters, a cybercrime group responsible for two separate breaches of its systems within less than a year. The first breach, in April, involved the theft of data from approximately 275 million individuals, including students and staff, with the hackers claiming to have stolen personal information such as names, email addresses, and private messages exchanged on the platform. The second breach, last week, saw the hackers deface Canvas login pages on school websites, escalating pressure on the company to meet extortion demands.
Instructure’s statement indicated that, as part of the agreement, the hackers had provided evidence that the stolen data was destroyed and that the company’s customers would not be extorted further. The company did not disclose whether it paid a ransom or the amount involved. The hackers’ leak site previously threatened to publish the stolen data if demands were not met, but the listing was removed Tuesday, suggesting a ransom may have been paid. A ShinyHunters representative confirmed to TechCrunch that the data was deleted and that the group would cease further contact or threats.
Why It Matters
This development is significant because it highlights ongoing cybersecurity risks faced by educational institutions and the potential for data breaches to disrupt school operations and compromise sensitive information. The fact that hackers successfully breached Instructure twice within a year underscores vulnerabilities in the platform’s security measures. The decision to negotiate and potentially pay a ransom raises questions about best practices for responding to cyber extortion, especially given warnings from U.S. authorities advising against ransom payments to discourage incentivizing cybercriminals.
McAfee Total Protection 1-Device | AntiVirus Software 2026 for Windows PC & Mac, AI Scam Detection, VPN, Password Manager, Identity Monitoring | 1-Year Subscription with Auto-Renewal | Download
DEVICE SECURITY – Award-winning McAfee antivirus, real-time threat protection, protects your data, phones, laptops, and tablets
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Instructure’s breaches follow a pattern seen in similar incidents affecting educational technology providers, such as PowerSchool, which paid hackers after a massive data breach affecting millions of students and staff. The FBI and U.S. government agencies have issued warnings advising victims not to pay ransoms, citing risks of continued extortion and data misuse. The involvement of ShinyHunters, a known financially motivated hacking group, underscores the persistent threat posed by organized cybercrime targeting sensitive data in the education sector.
Instructure acknowledged the breaches publicly, noting that the two incidents involved different systems and were “distinct events.” The company is still investigating the breaches, and it remains unclear who within Instructure is responsible for cybersecurity oversight. The CEO, Steve Daly, has not commented on whether he intends to resign amid the incidents.
“We have reached an agreement with the hackers, and they have provided evidence that the stolen data has been destroyed.”
— Instructure spokesperson Brian Watkins
“The data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us.”
— ShinyHunters representative
“Victims should not send payment or respond to extortion demands.”
— FBI statement
BUISAMG Data Blocker, USB Data Blocker Protection from Illegal Downloading, Hacking Proof Guaranteed, USB C Data Blocker for iPhone 17 16 15 & Any USB Phone Charging (8-Pack)
【2025 upgraded version】BUISAMG's data blocker is constantly pursuing innovation, with products that are smaller and more convenient for…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet clear whether Instructure paid a ransom or if the hackers’ claim of data destruction is verified independently. The specifics of the financial agreement, if any, remain undisclosed. Additionally, the full scope of the data affected and whether other security measures have been implemented are still unknown. The responsibility for cybersecurity oversight within Instructure has not been clarified, and the potential impact on user trust is uncertain.
TrulyOffice 2024 Student Lifetime License for Windows | 3 in 1 All Access TrulyOffice Suite | Words, Sheets, Slides | 2 Users | Physical Activation Card
Lifetime License for 2 Users: Perpetual access for two users to TrulyOffice 2024 on Window, ensuring uninterrupted usage.
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Instructure is expected to continue its investigation into the breaches and may implement additional security measures. The company might also issue further statements or updates regarding its cybersecurity strategy. Regulatory agencies could scrutinize the incident, and affected schools may review their data security protocols. Monitoring of the hackers’ activity and potential future threats remains a key concern for stakeholders.
CompTIA Security+ Guide to Network Security Fundamentals (with CertBlaster Printed Access Card) (MindTap Course List)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Did Instructure pay a ransom to the hackers?
It has not been officially confirmed whether Instructure paid a ransom. The removal of the hackers’ leak site listing suggests a ransom may have been paid, but the company has not disclosed specific details.
What data was stolen in the breaches?
The stolen data reportedly includes students’ names, personal email addresses, and private messages exchanged between teachers and students. Some of this data has been reviewed by TechCrunch.
Will this affect the security of Canvas moving forward?
Instructure has stated it is investigating the breaches and is likely to enhance its security measures. The full impact on platform security remains to be seen.
Are other schools or platforms at risk?
Given the pattern of attacks on education technology providers, other schools and platforms may also be at risk. Authorities continue to warn against paying ransoms and recommend strong cybersecurity practices.
