Instructure Reaches Deal With Hackers After Twin Breaches Of Canvas Platform

Instructure, the company behind the widely used Canvas education platform, says it has struck an agreement with the cybercriminals who broke into its systems twice and claimed to have stolen data tied to hundreds of millions of people.

The company disclosed on its incident page late Monday that it had “reached an agreement” with the hackers, who are linked to the ShinyHunters extortion group. Instructure said the attackers provided evidence that the stolen data was destroyed and that Canvas customers would no longer be targeted for extortion.

Instructure also acknowledged there is “never complete certainty” when dealing with cybercriminals, but said that as part of the arrangement, its customers should not have to engage directly with the hackers. The company did not offer any assurances that the data would never be released, only that the attackers had signalled it was deleted.

ShinyHunters, a financially motivated cybercrime group, claimed responsibility for the April 29 intrusion. The group said it had accessed Canvas, which is used by nearly 9,000 schools to manage student information and coursework, and stole personal data on 275 million people, including students and staff. That figure comes from the hackers’ claims; Instructure has not publicly confirmed the scope.

The same group then breached Instructure again, defacing Canvas login pages on school websites in an apparent effort to increase pressure on the company to meet its demands. The defacement followed earlier threats on ShinyHunters’ leak site to publish the stolen data if the company refused to pay.

TechCrunch reports that the listing for the Instructure data, which previously appeared on ShinyHunters’ site, had been removed as of Tuesday, a change that suggests a ransom may have been paid. A representative for ShinyHunters told TechCrunch that “the data is deleted, gone. The company and it’s [sic] customers will not further be targeted or contacted for payment by us.”

Instructure has not commented on any ransom payment. Financial terms of the agreement were not disclosed, and the company has not said whether, or how much, it paid the hackers. Spokesperson Brian Watkins declined to go beyond the published statement or answer questions about the agreement when contacted.

The data taken from Instructure’s systems includes students’ names, personal email addresses, and messages exchanged between teachers and students. Some of those messages, which TechCrunch has seen, contain private and personal information.

On its website, Instructure confirmed that attackers had breached its systems twice within a year, stressing that the incidents were “distinct events” involving different systems. The company said it is continuing to investigate and validate its findings. It has not clarified who is directly responsible for cybersecurity inside the organization, or whether any leadership changes are being considered. When asked if chief executive Steve Daly plans to resign following the breaches, Instructure did not respond.

U.S. law enforcement has been urging organizations not to give in to ransom demands. The FBI said in a statement last week that it was “aware” of system disruptions affecting schools and educational institutions around the United States. While the notice did not name Canvas or Instructure, it advised victims “not [to] send payment or respond” to cybercriminals’ demands.

Governments, including the U.S., have repeatedly warned that paying ransoms fuels further attacks. Security researchers have also pointed out that victims have little reason to trust that criminals will actually delete stolen data once paid. In past incidents, some groups have secretly held onto data, then used it or sold access to it for additional extortion later.

The Instructure case echoes a 2024 breach at PowerSchool, another major education software vendor. PowerSchool suffered a large-scale compromise that affected data on 70 million students and staff. In that case, PowerSchool paid hackers to have the stolen data returned. Despite that payment, several PowerSchool customers were later extorted by a different crime group that presented data from the same breach that had not been destroyed.

The comparison underlines why many security experts and regulators remain skeptical of any assurances from extortion groups. Even when an attacker claims data is “deleted,” there is no technical way for a victim to independently verify what has been kept, copied or sold.

For now, Instructure is telling customers that the hackers have provided proof of deletion and that schools and users should not face direct extortion related to this incident. But the company itself concedes that there can be no absolute certainty in agreements struck with cybercriminals, leaving millions of students, parents, teachers and administrators to wait for the outcome of an ongoing investigation.