Instructure settles with ShinyHunters after dual breaches exposed data of 275 million

Instructure, the developer of the widely used Canvas school information portal, has confirmed it has reached an agreement with the cybercrime group ShinyHunters following two separate breaches of its systems. The attacks, which occurred in under a year, resulted in the theft of data belonging to approximately 275 million people, including students, staff, and their personal email addresses. While the company has not disclosed the specific financial terms of the settlement, it stated that the hackers have provided evidence that the stolen information has been destroyed.

The first breach took place on April 29, when ShinyHunters claimed to have compromised teacher accounts to gain network access. A second incident occurred last week, involving the defacement of Canvas login pages on school websites to pressure the company into paying a ransom. Instructure noted that these were distinct events involving different systems, yet the cumulative impact disrupted thousands of schools that rely on the software to manage student data and coursework.

As part of the deal, a representative from ShinyHunters stated that the data is now deleted and that the company and its customers will not be targeted again. The group subsequently removed their extortion listing from their leak site, a move that typically indicates a ransom has been paid. However, Instructure acknowledged that there is never complete certainty when negotiating with cybercriminals and emphasised that customers should not have to engage with the hackers directly.

The decision to pay the ransom comes despite advice from US government agencies, including the FBI, which urge victims of cybercrime not to send payments or respond to demands. The FBI issued a notice regarding the system disruption affecting educational institutions but did not name Canvas specifically. Security researchers have long argued that victims cannot fully trust malicious actors, citing cases where data was retained despite promises of deletion.

This incident mirrors a similar breach at competitor PowerSchool in 2024, where paying a ransom failed to prevent subsequent extortion attempts by a different crime group using data that had not been destroyed. In that case, customers were later extorted by a group that showed data from the original breach which had supposedly been destroyed. The parallel raises questions about the efficacy of paying ransoms as a strategy to mitigate long-term risk in the education sector.

Instructure CEO Steve Daly has not commented on whether he plans to resign following the incidents, nor has the company clarified who oversees cybersecurity responsibilities within the firm. While the company stated it is still investigating the breaches and validating its findings, the immediate priority appears to be resolving the extortion threat. The lack of transparency regarding the payment amount leaves the full cost of the cyberattack to the imagination of investors and stakeholders.