Instructure settles ransom demand with ShinyHunters following dual Canvas breaches affecting 275 million users
The agreement, reached just before the May 12 deadline, restores access for 8,800 institutions but leaves the specific sum undisclosed and raises questions regarding independent verification of data destruction.
Education technology company Instructure has confirmed it has paid a ransom to the cybercriminal gang ShinyHunters following two separate breaches of its Canvas learning management system. The deal was finalised one day before the May 12 deadline imposed by the attackers, securing the return of compromised data belonging to approximately 275 million users across more than 8,800 institutions. Instructure received digital confirmation of data destruction and assurance that no further extortion would be directed at its customers.
The incident triggered significant operational disruptions, forcing many universities to postpone exams and final project deadlines. The compromised data reportedly included names, email addresses, student ID numbers, and several billions of private messages between students, teachers, and other students. ShinyHunters, a known extortionist group previously linked to breaches at the University of Pennsylvania, Princeton, and Harvard Universities, initially demanded payment by 6 May 2026. Instructure appeared to ignore this initial demand while addressing security patches, which led to a second, more severe breach on Thursday where users could only see a hacker message.
Instructure CEO Steve Daly acknowledged a failure in communication strategy during the initial response, admitting the company went quiet when consistent updates were needed and pledged to improve transparency moving forward. While the company did not disclose the monetary value of the ransom, it stated that individual customers have no need to engage directly with ShinyHunters regarding the incident. The agreement covers all impacted Instructure customers, though the specific extent of data exposure prior to the payment remains partially unclear.
The company stated it received digital confirmation of data destruction in the form of shred logs, alongside assurance that no Instructure customers will be extorted as a result of this incident, publicly or otherwise. However, there is no independent forensic verification of the shred logs provided by the attackers. The assurance that no further extortion will occur relies solely on the word of ShinyHunters, a group with a history of non-compliance with promises.
Canvas is used by 41 per cent of higher education institutions in North America, making the scale of the breach particularly significant for the sector. Instructure continues to work with expert vendors to support forensic analysis, further harden its environment, and conduct a comprehensive review of the data involved. The company promised to provide updates as that work progresses, maintaining that it took every step within its control to give customers additional peace of mind to the extent possible.
