Instructure Reaches Deal with ShinyHunters After Massive Canvas Data Breaches
Instructure, the educational technology giant behind the Canvas learning management system, has reached a settlement with the cybercrime group responsible for two recent security breaches. The hackers, known as ShinyHunters, successfully infiltrated the company’s systems, stealing a massive trove of data and disrupting operations for thousands of educational institutions.
A High-Stakes Extortion Campaign
The cyberattack began on April 29, when ShinyHunters claimed to have compromised Canvas and stolen the personal information of 275 million students and staff. To increase pressure on the company, the group launched a second attack last week, defacing Canvas login pages on various school websites.
The stolen data includes:
- Full names and personal email addresses
- Private messages exchanged between teachers and students
- Sensitive academic and personal records
Nearly 9,000 schools rely on Canvas to manage coursework and student data, making the breach one of the most significant hits to the education sector in recent years.
Terms of the Agreement
In a recent update, Instructure confirmed it had “reached an agreement” with the hackers. While the company did not disclose financial details or explicitly confirm a ransom payment, ShinyHunters has since removed the stolen data from its leak site. A representative for the group told TechCrunch that the data has been destroyed and that customers will no longer be targeted.
Instructure stated that the hackers provided evidence of the data’s destruction. However, the company acknowledged that “complete certainty” is impossible when negotiating with cybercriminals.
A Controversial Strategy
Instructure’s decision to engage with the hackers goes against long-standing guidance from the FBI, which urges victims not to pay ransoms. Paying cybercriminals often fuels future attacks and offers no real guarantee that data won’t be leaked or sold later.
The situation mirrors a 2024 breach at PowerSchool, another major education software provider. Despite paying a ransom for the “destruction” of stolen data, many PowerSchool customers were later extorted by a separate criminal group using the exact same information.
While Instructure continues to investigate, it maintains that the two recent breaches were distinct events involving different systems. The company has not yet addressed questions regarding leadership accountability or potential changes to its cybersecurity oversight.
