Instructure, the developer behind the widely used educational platform Canvas, confirmed on Tuesday that it has reached a settlement with the cybercriminal group responsible for two consecutive system breaches. The attacks resulted in the theft of sensitive data belonging to millions of students and staff, while triggering widespread operational disruptions across thousands of academic institutions.
The Scope of the ShinyHunters Cyberattack
The hacking collective known as ShinyHunters claimed responsibility for the initial April 29 breach, asserting they had exfiltrated personal information of approximately 275 million individuals. Canvas, which serves as a central hub for coursework and student data management, is utilized by nearly 9,000 schools globally. Following the initial theft, the hackers compromised the company’s systems a second time last week, defacing login pages on school websites to escalate pressure for a ransom payment.
Terms of the Agreement and Data Status
According to an official incident update released by the company, the agreement includes a mandate for the hackers to destroy the stolen data and cease extortion attempts against Canvas customers. While Instructure admitted there is “never complete certainty” when dealing with cybercriminals, they maintained that the deal ensures customers will not be directly targeted.
The financial details of the settlement remain undisclosed. Instructure spokesperson Brian Watkins declined to provide further comment regarding the payment or the company’s internal cybersecurity accountability, including whether CEO Steve Daly faces any repercussions for the security failures.
Industry Risks and Official Warnings
The decision to pay a ransom contradicts long-standing guidance from government bodies, including the FBI. The agency recently issued a public statement urging organizations to “not send payment or respond” to extortion demands, noting that such payments incentivize further criminal activity. Security experts frequently warn that victims cannot rely on the promises of hackers, as stolen data is often retained for future extortion regardless of deletion claims.
This incident mirrors the 2024 attack on PowerSchool, where a similar payment was made. In that instance, despite the ransom, a separate criminal group later extorted customers using data that had not been destroyed as promised.
Investigation and Impact
The stolen information includes student names, personal email addresses, and private correspondence between teachers and students. Instructure currently characterizes the two breaches as “distinct events” involving different internal systems and states that a comprehensive investigation remains ongoing. As of Tuesday, the extortion listing had been removed from the ShinyHunters’ leak site, suggesting the transaction has been completed.