Canvas owner Instructure has reached an agreement with the cybercriminal group behind a major data theft, moving to prevent the public release of information taken from one of the world’s most widely used learning management platforms.
The Salt Lake City-based education technology company said the stolen material had been returned and that it had received digital evidence indicating the data had been destroyed. The company did not disclose the financial or operational terms of the arrangement, nor did it confirm whether a ransom was paid. The agreement followed threats by the extortion group ShinyHunters to publish data allegedly taken from thousands of schools, colleges and universities unless a settlement was reached.
The breach has raised fresh questions over the security of centralised education platforms that support coursework, examinations, grading, messaging and student administration across multiple countries. Canvas is used by universities, school districts, training providers and public education systems, making the incident one of the most consequential cyber episodes to hit the education technology sector.
ShinyHunters claimed it had obtained about 3.65 terabytes of data linked to 8,809 institutions and as many as 275 million records. Those claims have not been fully independently verified, but Instructure has acknowledged that the compromised information included names, email addresses, student identification numbers and user messages. The company said it had not found evidence that passwords, dates of birth, government identification numbers or financial information were affected.
The incident began when Instructure detected unauthorised activity in Canvas on April 29. The company revoked access, launched an investigation and brought in outside forensic specialists. On May 7, further unauthorised activity was identified, with some users seeing altered Canvas pages as the attackers attempted to intensify pressure on the company and its customers. Canvas was briefly taken offline in maintenance mode while additional safeguards were applied.
Instructure has linked the activity to an issue involving Free-For-Teacher accounts, a limited no-cost version of Canvas used by individual educators. The company temporarily shut down those accounts while it worked to address the vulnerability. Core Canvas services have since been restored, though institutions have continued to assess possible exposure and communicate with students and staff.
The company’s chief executive, Steve Daly, apologised to affected users and said customers should not engage separately with the hackers. Instructure said it had obtained assurances that the stolen material would not be used to extort its customers, a key concern after the attackers directly listed institutions and threatened broader disclosure.
Cybersecurity specialists have cautioned that deletion promises from criminal groups cannot be treated as a full guarantee. Even where “shred logs” or other digital evidence are supplied, copied datasets may exist elsewhere, and personal details can still be used in phishing, credential attacks or social engineering campaigns. The episode has therefore left institutions facing the task of reassuring users while monitoring for follow-on scams.
The breach has also drawn scrutiny from policymakers in the United States, where congressional officials have sought a briefing from Instructure on the scale of the compromise, the company’s coordination with federal cyber agencies and the steps being taken to prevent another incident. Legal pressure is also building, with lawsuits accusing the company of failing to maintain adequate safeguards for student and staff data.
Education systems in the United States, Australia, Canada, the United Kingdom and other markets were among those monitoring the fallout. Several universities and public education bodies temporarily restricted access, warned users about possible scam emails and advised staff and students to remain alert for suspicious messages.
The attack highlights a broader shift in ransomware and extortion tactics. Criminal groups are increasingly targeting software providers whose platforms connect thousands of downstream organisations, allowing one breach to create pressure across a wide customer base. Education technology vendors are especially attractive because they hold large volumes of personal data, operate in time-sensitive academic environments and serve institutions that may lack extensive cyber resources.
The Salt Lake City-based education technology company said the stolen material had been returned and that it had received digital evidence indicating the data had been destroyed. The company did not disclose the financial or operational terms of the arrangement, nor did it confirm whether a ransom was paid. The agreement followed threats by the extortion group ShinyHunters to publish data allegedly taken from thousands of schools, colleges and universities unless a settlement was reached.
The breach has raised fresh questions over the security of centralised education platforms that support coursework, examinations, grading, messaging and student administration across multiple countries. Canvas is used by universities, school districts, training providers and public education systems, making the incident one of the most consequential cyber episodes to hit the education technology sector.
ShinyHunters claimed it had obtained about 3.65 terabytes of data linked to 8,809 institutions and as many as 275 million records. Those claims have not been fully independently verified, but Instructure has acknowledged that the compromised information included names, email addresses, student identification numbers and user messages. The company said it had not found evidence that passwords, dates of birth, government identification numbers or financial information were affected.
The incident began when Instructure detected unauthorised activity in Canvas on April 29. The company revoked access, launched an investigation and brought in outside forensic specialists. On May 7, further unauthorised activity was identified, with some users seeing altered Canvas pages as the attackers attempted to intensify pressure on the company and its customers. Canvas was briefly taken offline in maintenance mode while additional safeguards were applied.
Instructure has linked the activity to an issue involving Free-For-Teacher accounts, a limited no-cost version of Canvas used by individual educators. The company temporarily shut down those accounts while it worked to address the vulnerability. Core Canvas services have since been restored, though institutions have continued to assess possible exposure and communicate with students and staff.
The company’s chief executive, Steve Daly, apologised to affected users and said customers should not engage separately with the hackers. Instructure said it had obtained assurances that the stolen material would not be used to extort its customers, a key concern after the attackers directly listed institutions and threatened broader disclosure.
Cybersecurity specialists have cautioned that deletion promises from criminal groups cannot be treated as a full guarantee. Even where “shred logs” or other digital evidence are supplied, copied datasets may exist elsewhere, and personal details can still be used in phishing, credential attacks or social engineering campaigns. The episode has therefore left institutions facing the task of reassuring users while monitoring for follow-on scams.
The breach has also drawn scrutiny from policymakers in the United States, where congressional officials have sought a briefing from Instructure on the scale of the compromise, the company’s coordination with federal cyber agencies and the steps being taken to prevent another incident. Legal pressure is also building, with lawsuits accusing the company of failing to maintain adequate safeguards for student and staff data.
Education systems in the United States, Australia, Canada, the United Kingdom and other markets were among those monitoring the fallout. Several universities and public education bodies temporarily restricted access, warned users about possible scam emails and advised staff and students to remain alert for suspicious messages.
The attack highlights a broader shift in ransomware and extortion tactics. Criminal groups are increasingly targeting software providers whose platforms connect thousands of downstream organisations, allowing one breach to create pressure across a wide customer base. Education technology vendors are especially attractive because they hold large volumes of personal data, operate in time-sensitive academic environments and serve institutions that may lack extensive cyber resources.
Topics
Live News