Instructure Reaches Agreement With ShinyHunters After Canvas Breach Threatens Data Leak

Instructure, the edtech company behind Canvas, said it reached an agreement with the hackers who breached its systems after a first incident that temporarily went offline on April 30.

Mashable reported that ShinyHunters said it stole data from 275 million Canvas users at nearly 9,000 schools worldwide, and that the hackers later compromised school-specific login pages and defaced them with messages threatening to publicly release the stolen data unless Instructure agreed to "negotiate a settlement."

6abc Philadelphia

The Hacker News said the second wave of unauthorized activity tied to the same incident was detected on May 7, 2026, when Canvas login portals were defaced at roughly 330 institutions and Instructure was given a deadline of May 12, 2026 to negotiate a ransom or risk a data leak.

Instructure said it temporarily disabled Free-For-Teacher accounts after it "identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited," and Mashable reported that the second breach did not result in any stolen data.

BBC reported that the cyber-attack affected an estimated 9,000 institutions in the US, Canada, Australia and the UK, with exams disrupted after Canvas went down.

Instructure told customers it reached an "agreement" with the unauthorized actor involved, and The Hacker News said the company cited "concerns about the potential publication of data" while stating the pilfered data was returned along with digital confirmation of data destruction.

WRAL quoted Instructure saying, "This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor," while cybersecurity expert Doug Levin said he believed negotiations started when Canvas was restored.

ABC13 Houston

The BBC reported that Instructure paid the hackers not to publish stolen data online, and it quoted the company’s statement: "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control".

Inside Higher Ed said the deal meant hackers returned compromised data of some 275 million users across more than 8,800 institutions, and it noted the company did not disclose the deal’s monetary value.

In Telegram messages exchanged with the BBC, Shiny Hunters told the outlet it had hacked Canvas twice before last Thursday's attack, and the group said: "We have no comment on that."

Mashable said ShinyHunters’ "settlement" deadline to release the data on May 12 still loomed even after Canvas was brought back online, and it reported that Google searches for "canvas hacked" and "canvas down" spiked roughly 1,000 percent.

The Hacker News said the exfiltrated data provides threat actors enough personal context to conduct targeted phishing campaigns against staff, students, and parents alike, and it warned that leaked records can be used to impersonate school administrators, IT support, or financial aid offices.

WRAL reported that Durham Public Schools was still not allowing students and teachers to access Canvas, while the North Carolina Department of Public Instruction restored access to the platform along with multiple school districts including Wake County and Chapel Hill-Carrboro schools.

BBC described how students sitting exams in the US were particularly badly affected, including Mississippi State University where Aubrey Palmer said a ransom message suddenly appeared on their screens and read: "Shiny Hunters has breached Instructure (again)."

Instructure CEO Steve Daly apologized for disruption and said the company had "got the balance wrong," while the BBC reported that the breach was discovered on 29th April and claimed online by Shiny Hunters extortion group.