Instructure reaches settlement with ShinyHunters over Canvas data breach

Instructure, the provider of the Canvas learning management platform, has confirmed it has reached an agreement with the ShinyHunters hacking group following a significant breach of its systems. The incident occurred last week when attackers exploited compromised Free-For-Teacher accounts to gain access to the network, temporarily forcing the company to shut down those specific accounts.

The ShinyHunters group claimed responsibility for the intrusion and threatened to publish 3.5 terabytes of student data unless a settlement was paid. Instructure has stated that it has reached an arrangement to prevent this data from being released online, a move that strongly implies a ransom payment was made, although the company has not explicitly confirmed financial terms.

In its latest statement, Instructure indicated that it has received proof that the stolen data has been destroyed and returned, assuring customers that no further extortion will occur. However, the assertion that the data was both returned and destroyed has drawn scrutiny, as such claims from cyber criminals are often unreliable and have been contradicted in previous high-profile cases.

Most Canvas systems have since been restored to normal operation, providing relief to the vast majority of users. Nevertheless, access to the Free-For-Teacher accounts remains suspended pending a comprehensive review of the security breach. The company has not yet announced a timeline for when these specific accounts will be reinstated.

Instructure plans to host a webinar to share further details regarding the attack and the steps being taken to harden its environment. Despite the agreement, the decision to negotiate with the group stands in contrast to global law enforcement advice, which typically warns against paying ransoms due to the risk of funding future attacks and the lack of guaranteed data destruction.