Instructure, the parent company of the Canvas online learning platform, announced on May 11 that it had reached an agreement with the hacking group ShinyHunters to secure and delete stolen student and school data. The company stated in a statement posted to its website that it had "reached an agreement with the unauthorized actor involved with this incident." As part of the agreement, all stolen data was returned to Instructure, and the company received digital confirmation of data destruction, described as "shred logs." The company also said it was informed that no Instructure customers would be extorted as a result of the incident, either publicly or otherwise.
The hacking group ShinyHunters claimed responsibility for the breach in early May, threatening to leak 3.5 to 6.65 terabytes of data affecting nearly 9,000 schools worldwide and approximately 275 million individuals. The group had set a deadline of May 6 for ransom negotiations but later extended it. In a message to Reuters, a ShinyHunters representative stated that the "data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us."
Instructure temporarily took the Canvas system offline following the breach, disrupting access for students and faculty during finals week. The company acknowledged in its statement that there is no way to be certain the data was permanently erased, but emphasized that it took action to mitigate risks of further exposure or extortion. "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said.
The breach exposed student ID numbers, email addresses, names, and private messages exchanged on the platform, according to Instructure. The company stated it found no evidence that passwords, Social Security numbers, financial information, or grades were accessed. The incident prompted some universities to disable access to Canvas temporarily, while others delayed exams or extended deadlines as students struggled to regain access to coursework. Institutions in the United States, Canada, Australia, and the UK reported disruptions.
Instructure CEO Steve Daly issued an apology in a blog post, acknowledging that the company had not provided consistent communication during the crisis. "You deserved more consistent communication from us, and we didn't deliver it," Daly said. "I'm sorry for that." He added that the company would provide more regular updates moving forward.
Background and Response
The cyberattack was first discovered on April 29, with ShinyHunters publicly claiming responsibility on May 3. The group had previously targeted Instructure in a smaller breach in 2024. A federal lawsuit filed in Utah last week alleged that Instructure had not done enough to protect the platform, describing it as "easy prey for cybercriminals."
Cybersecurity experts have noted that paying ransomware demands does not guarantee data deletion and can encourage further attacks. Instructure did not disclose whether the agreement involved a financial payment. A ransomware negotiator quoted by Channel News Asia suggested that "some money was sent," though the company has not confirmed this.
The House Homeland Security Committee sent a letter to Instructure CEO Steve Daly on May 11, requesting a briefing on the breach, the nature and amount of data stolen, the company's response, and its coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA).