Instructure Strikes Deal with Hackers to Delete Stolen Canvas Data Amid Finals Chaos
Instructure, the parent company of the widely used online learning platform Canvas, announced it had reached an agreement with hackers to delete data stolen in a recent cyberattack that disrupted students and faculty during critical exam periods. The company confirmed the deal in an online post but did not disclose whether a ransom was paid or identify the threat actors involved.
The breach, which forced Instructure to temporarily take Canvas offline, was claimed by the hacking group ShinyHunters. The group initially threatened to leak data from nearly 9,000 schools worldwide and 275 million individuals unless a ransom was paid by May 6. After extending the deadline suggesting negotiations with some institutions the group later provided Instructure with "shred logs" as digital confirmation that the stolen data had been destroyed.
Despite the agreement, Instructure acknowledged there was no guarantee the data was permanently erased, stating it acted to mitigate the risk of public exposure. The compromised data included student ID numbers, email addresses, names, and Canvas platform messages, though the company found no evidence of passwords, financial details, or government IDs being accessed.
The disruption caused widespread panic as students and faculty were locked out of the platform a critical tool for managing grades, assignments, quizzes, and course materials. Canvas serves as a central hub for instruction, acting as a gradebook, digital lecture repository, discussion board, and submission portal for exams and final projects.
Instructure is now working with cybersecurity vendors to conduct a forensic analysis, strengthen its systems, and review the scope of the breach. The incident highlights the vulnerability of educational platforms during high-stakes academic periods.
Instructure cybersecurity rating report: https://www.rankiteo.com/company/instructure-inc-
"id": "INS1778611437",
"linkid": "instructure-inc-",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Nearly 9,000 schools worldwide, '
'275 million individuals',
'industry': 'Education Technology',
'name': 'Instructure (Canvas)',
'type': 'Company'}],
'customer_advisories': 'Announcement of agreement with hackers to delete '
'stolen data',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '275 million individuals',
'personally_identifiable_information': 'Student ID numbers, '
'email addresses, '
'names',
'sensitivity_of_data': 'Moderate (no passwords, financial '
'details, or government IDs)',
'type_of_data_compromised': 'Student ID numbers, email '
'addresses, names, Canvas '
'platform messages'},
'description': 'Instructure, the parent company of the widely used online '
'learning platform Canvas, announced it had reached an '
'agreement with hackers to delete data stolen in a recent '
'cyberattack that disrupted students and faculty during '
'critical exam periods. The breach forced Instructure to '
'temporarily take Canvas offline and was claimed by the '
'hacking group ShinyHunters, who threatened to leak data from '
'nearly 9,000 schools worldwide and 275 million individuals '
'unless a ransom was paid. The compromised data included '
'student ID numbers, email addresses, names, and Canvas '
'platform messages, though no passwords, financial details, or '
'government IDs were accessed.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Student ID numbers, email addresses, names, '
'Canvas platform messages',
'downtime': 'Temporary takedown of Canvas platform',
'identity_theft_risk': 'Potential (student ID numbers, email '
'addresses, names)',
'operational_impact': 'Disruption of exams, grades, assignments, '
'quizzes, and course materials during '
'critical academic periods',
'payment_information_risk': 'No',
'systems_affected': 'Canvas online learning platform'},
'investigation_status': 'Ongoing (forensic analysis in progress)',
'lessons_learned': 'Vulnerability of educational platforms during high-stakes '
'academic periods; importance of mitigating data exposure '
'risks even without ransom payment confirmation.',
'motivation': 'Extortion',
'post_incident_analysis': {'corrective_actions': 'Strengthening systems, '
'reviewing breach scope'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (amount undisclosed)'},
'recommendations': 'Strengthen cybersecurity measures for educational '
'platforms, conduct regular forensic analyses, and enhance '
'incident response plans to minimize disruptions during '
'critical periods.',
'references': [{'source': 'Instructure Online Post'}],
'response': {'communication_strategy': 'Online post announcing agreement with '
'hackers',
'containment_measures': 'Temporary takedown of Canvas platform',
'remediation_measures': 'Forensic analysis, system '
'strengthening, breach scope review',
'third_party_assistance': 'Cybersecurity vendors'},
'threat_actor': 'ShinyHunters',
'title': 'Instructure Strikes Deal with Hackers to Delete Stolen Canvas Data '
'Amid Finals Chaos',
'type': 'Data Breach'}