Instructure Strikes Deal with ShinyHunters to Secure 275 Million Stolen Student Records
Instructure, the company behind the Canvas learning platform, has reached an agreement with the hacking group ShinyHunters to prevent the leak of 275 million stolen student and teacher records. The breach, disclosed on 11 May 2026, followed a ransom demand from the hackers, who threatened to release the data unless paid by 12 May 2026.
Under the deal, Instructure confirmed that the stolen data was returned, and ShinyHunters provided "shred logs" digital proof of permanent deletion. While the company did not disclose whether a ransom was paid, it assured affected institutions that no further extortion attempts would occur. ShinyHunters later stated that the data was "nonexistent" and that they would no longer target Canvas or its users.
The attack unfolded in two phases. On 30 April 2026, ShinyHunters exploited a vulnerability in Canvas’s "Free for Teacher" accounts, gaining access to 3.65 terabytes of data, including names, email addresses, student IDs, course details, and billions of private teacher-student messages. A second attack on 7 May 2026 defaced login pages for 330 schools, displaying ransom notes and disrupting access to exams and assignments. Affected institutions included the University of Colorado and Virginia Tech, forcing Instructure to temporarily shut down services like Canvas Data 2 and Canvas Beta.
Instructure’s CEO, Steve Daly, apologized for the disruption, confirming that core academic data such as grades and submitted work remained uncompromised. The company has since disabled the vulnerable "Free for Teacher" accounts while addressing security flaws. While Canvas is now operational, experts caution that deleted data may still exist in hidden copies, posing risks for phishing scams.
Investigations into the breach are ongoing.
Source: https://hackread.com/instructure-reaches-deal-with-shinyhunters-to-prevent-canvas-data-leak/
Instructure cybersecurity rating report: https://www.rankiteo.com/company/instructure-inc-
"id": "INS1778711150",
"linkid": "instructure-inc-",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '275 million student and teacher '
'records',
'industry': 'Education Technology',
'name': 'Instructure (Canvas)',
'type': 'Company'},
{'industry': 'Higher Education',
'location': 'United States',
'name': 'University of Colorado',
'type': 'Educational Institution'},
{'industry': 'Higher Education',
'location': 'United States',
'name': 'Virginia Tech',
'type': 'Educational Institution'}],
'attack_vector': "Exploitation of vulnerability in 'Free for Teacher' "
'accounts',
'customer_advisories': 'Assurances to affected institutions, CEO apology',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '275 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Names',
'Email addresses',
'Student IDs',
'Course details',
'Private teacher-student '
'messages']},
'date_detected': '2026-04-30',
'date_publicly_disclosed': '2026-05-11',
'description': 'Instructure, the company behind the Canvas learning platform, '
'reached an agreement with the hacking group ShinyHunters to '
'prevent the leak of 275 million stolen student and teacher '
'records. The breach followed a ransom demand, with the '
'hackers threatening to release the data unless paid. The '
'stolen data was returned, and ShinyHunters provided proof of '
'permanent deletion. The attack exploited a vulnerability in '
"Canvas’s 'Free for Teacher' accounts, gaining access to 3.65 "
'terabytes of data, including names, email addresses, student '
'IDs, course details, and private messages. A second attack '
'defaced login pages for 330 schools, disrupting access to '
'exams and assignments.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': '3.65 terabytes',
'downtime': 'Temporary shutdown of services',
'identity_theft_risk': 'High',
'operational_impact': 'Disruption of exams and assignments, '
'defaced login pages for 330 schools',
'systems_affected': 'Canvas learning platform, Canvas Data 2, '
'Canvas Beta'},
'initial_access_broker': {'entry_point': "Vulnerability in 'Free for Teacher' "
'accounts'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Disabled vulnerable '
'accounts, addressed '
'security flaws',
'root_causes': 'Exploitation of vulnerability in '
"'Free for Teacher' accounts"},
'ransomware': {'data_exfiltration': 'Yes', 'ransom_demanded': 'Yes'},
'references': [{'source': 'Cyber Incident Description'}],
'response': {'communication_strategy': 'Public disclosure, CEO apology, '
'assurances to affected institutions',
'containment_measures': "Disabled vulnerable 'Free for Teacher' "
'accounts, temporary shutdown of '
'services',
'recovery_measures': 'Restored services, enhanced security '
'measures',
'remediation_measures': 'Addressed security flaws, returned '
'stolen data, received proof of '
'deletion'},
'threat_actor': 'ShinyHunters',
'title': 'Instructure Strikes Deal with ShinyHunters to Secure 275 Million '
'Stolen Student Records',
'type': 'Data Breach, Ransomware',
'vulnerability_exploited': "Vulnerability in Canvas’s 'Free for Teacher' "
'accounts'}