Instructure Pays Ransom to ShinyHunters After Massive Data Breach Affecting 9,000 Schools
Instructure, the company behind the widely used Canvas learning management system, confirmed it paid an undisclosed ransom to the cybercriminal group ShinyHunters following a late-April data breach that exposed personal information of over 275 million students, teachers, and staff across nearly 9,000 schools worldwide. The attack, which disrupted access to Canvas including North Carolina’s K-12 public schools, Duke University, and UNC-Chapel Hill triggered a state-mandated shutdown of the platform while Instructure negotiated with the hackers.
On April 29, ShinyHunters infiltrated Instructure’s systems, stealing data including usernames, email addresses, course details, and enrollment records. The group issued a ransom demand via a pop-up message in Canvas, setting a May 12 deadline before threatening to leak the stolen data. Instructure announced on May 20 that it had reached an agreement with the hackers, who claimed to return the data and provide "shred logs" as proof of destruction. The company stated that no further extortion attempts would target affected schools, though cybersecurity experts caution that such assurances from criminals are unverifiable.
North Carolina’s Department of Public Instruction had temporarily blocked Canvas access for public schools following the breach, restoring it only after Instructure secured the deal. While the state prohibits public agencies from paying ransoms, the restriction does not apply to private companies like Instructure. Critics, including Cliff Steinhauer of the National Cybersecurity Alliance, argue that paying ransoms reinforces the profitability of cyber extortion, potentially encouraging future attacks. The FBI is investigating the incident, which follows a 2025 ransomware attack on PowerSchool another education platform where hackers received approximately $2.85 million in Bitcoin.
Instructure emphasized its commitment to hardening its security posture and conducting a forensic review, though the long-term risks of retained or resold data remain a concern. The breach highlights the persistent threat to educational institutions, with ShinyHunters previously linked to attacks on three Ivy League schools in late 2025.
Source: https://www.newsobserver.com/news/local/education/article315722462.html
Instructure cybersecurity rating report: https://www.rankiteo.com/company/instructure-inc-
"id": "INS1778618561",
"linkid": "instructure-inc-",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Nearly 9,000 schools worldwide',
'industry': 'Education Technology',
'location': 'Global',
'name': 'Instructure (Canvas)',
'type': 'Company'},
{'industry': 'Education',
'location': 'North Carolina, USA',
'name': 'North Carolina’s K-12 public schools',
'type': 'Educational Institution'},
{'industry': 'Higher Education',
'location': 'North Carolina, USA',
'name': 'Duke University',
'type': 'Educational Institution'},
{'industry': 'Higher Education',
'location': 'North Carolina, USA',
'name': 'UNC-Chapel Hill',
'type': 'Educational Institution'}],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': 'Over 275 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Personal information',
'type_of_data_compromised': ['Usernames',
'Email addresses',
'Course details',
'Enrollment records']},
'date_detected': '2025-04-29',
'date_publicly_disclosed': '2025-05-20',
'description': 'Instructure, the company behind the widely used Canvas '
'learning management system, confirmed it paid an undisclosed '
'ransom to the cybercriminal group ShinyHunters following a '
'late-April data breach that exposed personal information of '
'over 275 million students, teachers, and staff across nearly '
'9,000 schools worldwide. The attack disrupted access to '
'Canvas, including North Carolina’s K-12 public schools, Duke '
'University, and UNC-Chapel Hill, triggering a state-mandated '
'shutdown while Instructure negotiated with the hackers.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Personal information of over 275 million '
'students, teachers, and staff',
'downtime': 'State-mandated shutdown of the platform',
'identity_theft_risk': 'Yes',
'operational_impact': 'Disrupted access to educational services',
'systems_affected': 'Canvas learning management system'},
'investigation_status': 'Ongoing (FBI investigation)',
'lessons_learned': 'Paying ransoms reinforces the profitability of cyber '
'extortion, potentially encouraging future attacks. '
'Long-term risks of retained or resold data remain a '
'concern.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Hardening security posture, '
'conducting forensic review'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Undisclosed',
'ransom_paid': 'Yes (undisclosed amount)'},
'recommendations': 'Hardening security posture, conducting forensic reviews, '
'and avoiding ransom payments to discourage future '
'attacks.',
'references': [{'source': 'Cyber Incident Description'}],
'response': {'containment_measures': 'State-mandated shutdown of the platform',
'enhanced_monitoring': 'Forensic review',
'law_enforcement_notified': 'FBI',
'recovery_measures': 'Restored access after securing deal with '
'hackers',
'remediation_measures': 'Negotiated with hackers, paid ransom'},
'threat_actor': 'ShinyHunters',
'title': 'Instructure Pays Ransom to ShinyHunters After Massive Data Breach '
'Affecting 9,000 Schools',
'type': 'Ransomware'}