Instructure Strikes Deal with ShinyHunters to Prevent Leak of 3.6TB Stolen Data
Instructure, the provider of the Canvas learning management system, has negotiated with the ShinyHunters extortion group to prevent the release of data stolen in a recent breach impacting over 30 million educators and students. The cybercriminals claimed responsibility for exfiltrating more than 3.6 terabytes of data by exploiting cross-site scripting (XSS) vulnerabilities in Instructure’s Free-for-Teacher environment. The attack also included defacing Canvas login portals with an extortion message.
Instructure confirmed the breach, stating that the vulnerabilities allowed attackers to gain administrative access. While the company reported that the stolen data was returned and confirmed destroyed with no ransom paid the FBI has warned that such agreements do not guarantee data security. This incident follows a separate September 2025 breach, also attributed to ShinyHunters, which targeted Instructure’s Salesforce instance.
In response, Instructure has temporarily disabled Free-for-Teacher accounts to address the security flaws and will host a webinar on May 13 to discuss the breach and mitigation efforts. The company has assured users that no further extortion demands will be met.
Source: https://www.scworld.com/brief/instructure-reaches-agreement-with-hackers-after-canvas-data-breach
Instructure cybersecurity rating report: https://www.rankiteo.com/company/instructure-inc-
"id": "INS1778690819",
"linkid": "instructure-inc-",
"type": "Breach",
"date": "5/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 30 million educators and '
'students',
'industry': 'Education Technology',
'name': 'Instructure',
'type': 'Company'}],
'attack_vector': 'Cross-Site Scripting (XSS)',
'customer_advisories': 'Webinar on May 13 to discuss the breach and '
'mitigation efforts',
'data_breach': {'data_exfiltration': 'Yes (3.6TB of data exfiltrated)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information of educators and '
'students)',
'type_of_data_compromised': 'Educational data, personally '
'identifiable information'},
'description': 'Instructure, the provider of the Canvas learning management '
'system, has negotiated with the ShinyHunters extortion group '
'to prevent the release of data stolen in a recent breach '
'impacting over 30 million educators and students. The '
'cybercriminals claimed responsibility for exfiltrating more '
'than 3.6 terabytes of data by exploiting cross-site scripting '
'(XSS) vulnerabilities in Instructure’s Free-for-Teacher '
'environment. The attack also included defacing Canvas login '
'portals with an extortion message. Instructure confirmed the '
'breach, stating that the vulnerabilities allowed attackers to '
'gain administrative access. While the company reported that '
'the stolen data was returned and confirmed destroyed with no '
'ransom paid, the FBI has warned that such agreements do not '
'guarantee data security. This incident follows a separate '
'September 2025 breach, also attributed to ShinyHunters, which '
'targeted Instructure’s Salesforce instance.',
'impact': {'brand_reputation_impact': 'Potential brand reputation damage due '
'to breach and extortion',
'data_compromised': '3.6TB of data',
'identity_theft_risk': 'High (30 million educators and students '
'affected)',
'operational_impact': 'Temporary disablement of Free-for-Teacher '
'accounts',
'systems_affected': 'Canvas learning management system, '
'Free-for-Teacher environment, login portals'},
'initial_access_broker': {'entry_point': 'Cross-Site Scripting (XSS) '
'vulnerabilities in Free-for-Teacher '
'environment'},
'motivation': 'Extortion, Data Theft',
'post_incident_analysis': {'corrective_actions': 'Addressing security flaws '
'in Free-for-Teacher '
'environment',
'root_causes': 'Exploitation of XSS '
'vulnerabilities in '
'Free-for-Teacher environment'},
'ransomware': {'data_exfiltration': 'Yes', 'ransom_paid': 'No ransom paid'},
'references': [{'source': 'Cyber Incident Description'}],
'response': {'communication_strategy': 'Hosting a webinar on May 13 to '
'discuss the breach and mitigation '
'efforts',
'containment_measures': 'Temporarily disabled Free-for-Teacher '
'accounts',
'remediation_measures': 'Addressing security flaws in '
'Free-for-Teacher environment'},
'stakeholder_advisories': 'Assurance that no further extortion demands will '
'be met',
'threat_actor': 'ShinyHunters',
'title': 'Instructure Strikes Deal with ShinyHunters to Prevent Leak of 3.6TB '
'Stolen Data',
'type': 'Data Breach, Extortion',
'vulnerability_exploited': 'Cross-Site Scripting (XSS) in Free-for-Teacher '
'environment'}