Instructure Reaches Deal with ShinyHunters to Prevent Canvas Data Leak

Summary

Instructure negotiated an agreement with ShinyHunters ransomware group to retrieve and destroy 275 million stolen student records from Canvas learning platform, preventing public disclosure. The attackers had exploited a vulnerability in "Free for Teacher" accounts and defaced login pages at 330 schools before agreeing to delete the data. The company disabled vulnerable accounts and confirmed core learning data was not compromised.

Full text

Data Breaches Cyber Crime SecurityInstructure Reaches Deal with ShinyHunters to Prevent Canvas Data Leak Instructure has reached an agreement with the ShinyHunters group to return and destroy stolen Canvas data, protecting millions of student records from a public leak. byDeeba AhmedMay 13, 20263 minute read The company behind the Canvas learning platform, Instructure, has reached an agreement with ShinyHunters, who stole 275 million student records this month. The hackers originally threatened to leak the private information of students and teachers unless they were paid by a deadline of 12 May 2026. The New Agreement Instructure shared the news on its website in an update dated 11 May 2026. The company revealed that it reached an agreement with the hackers to prevent them from leaking the stolen data, confirming that the stolen data was returned with digital proof of the hackers destroying their copies. This proof is called shred logs, which are technical documents that show files have been permanently deleted. Instructure says schools and universities don’t need to communicate with the hackers themselves because this one deal covers all institutions involved. They also stated that no customers will be extorted or asked for money by this group. They, however, didn’t disclose if or how much ransom was paid. Instructure noted that this step was taken to give the impacted families some peace of mind. How the Attack Happened This update follows past coverage from Hackread.com detailing how the breach occurred. On 30 April 2026, ShinyHunters exploited a vulnerability in “Free for Teacher” accounts, specifically involving how the system handles support tickets, to hack into the internal networks and steal around 3.65 terabytes of data On 7 May, the hackers attacked again by defacing the login pages for about 330 schools to show a ransom note. This forced the company to temporarily shut down some services, including Canvas Data 2 and Canvas Beta, which caused problems for school apps that relied on digital connectors called API keys. During this second attack, students at hundreds of institutes worldwide, including the University of Colorado and Virginia Tech, saw their screens replaced with messages from the hackers. Many students found they couldn’t access their exams or assignments right when they needed them most, causing a lot of stress in classrooms. The stolen data included sensitive details like names, email addresses, student ID numbers, and course details. Most worryingly, it included billions of private messages sent between teachers and students. Defacement message left by the ShinyHunters hacking group on the Canvas LMS portal (Image credit: Hackread.com) ShinyHunters’ Official Statement Although the hackers did not publicly confirm receiving payment from Instructure, the group claimed that data linked to Canvas would not be leaked. Referring to the incident as “the recent situation at the LMS company,” the attackers said they were no longer seeking payment and claimed the stolen data had been deleted. “We have nothing to add on or comment regarding the recent situation at the LMS company. If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us; the matter has been resolved. The Company and its customers will not further be targeted or contacted for payment. The data is nonexistent.” ShinyHunters ShinyHunters updated announcement regarding the Canvas LMS data breach and its dealings with Instructure (Image credit: Hackread.com) Is the Platform Safe? Steve Daly, the head of Instructure, apologised to everyone for the stress caused. He confirmed that core data like grades and submitted schoolwork weren’t stolen and that they have now turned off the “Free for Teacher” accounts while they fix the security issues. For now, the company says Canvas is back to normal and safe to use. “Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised. We’ll give you clear guidance if any action is required on your end. Right now, there’s nothing you need to do,” Daly stated. Even though a deal was made, students should still be careful since digital data cannot be perfectly recalled, and hackers may have made hidden copies before deleting the originals. They can easily use these details to send realistic phishing emails to trick people. The company is still investigating the incident. We will share more details as these emerge. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. CanvasCyber AttackCyber CrimeCybersecurityData leakInstructureRansomShinyHunters Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Cyber Attacks Bridgestone Confirms Cyberattack Disrupting North American Plants Bridgestone confirms a cyberattack that disrupted manufacturing plants. This article details the impact on employees, expert analysis, and… byDeeba Ahmed Malware Security Hotel Wi-Fi Can Threaten Your Laptop with Malware Following Kaspersky Labs’ identification of a unit issuing attacks on distinct high-end hotel guests in Asia and the… byWaqas Read More Security Windows Apps Vulnerable to Command Injection via “BatBadBut” Flaw Critical 'BatBadBut' Flaw in Windows Lets Hackers Inject Commands (Patch Now!) byDeeba Ahmed Read More News Cyber Crime Phishing Scam Security Zimbra email platform vulnerability exploited to steal European govt emails Researchers have noted that attackers are targeting a medium-severity Zimbra vulnerability that the company patched in version 9.0.0 Patch 24, one year ago. byDeeba Ahmed

Indicators of Compromise

• malware — ShinyHunters

Entities