Canvas Breach: Company Pays Shiny Hunters to Delete Stolen Student Data
Instructure, the provider of the widely used academic platform Canvas, confirmed it paid a ransom to the cyber extortion group Shiny Hunters to prevent the release of stolen data. The breach, discovered on 29 April 2026, disrupted exams and operations at an estimated 9,000 institutions across the US, Canada, Australia, and the UK, with students like Mississippi State University’s Aubrey Palmer reporting sudden ransom messages mid-exam.
Shiny Hunters, an English-speaking group linked to previous attacks on companies like Jaguar Land Rover and Gucci, claimed responsibility and threatened to publish 3.5 terabytes of student and university data unless paid in Bitcoin. While Instructure did not disclose the payment amount, it stated the agreement included "digital confirmation of data destruction" and assured no further extortion of customers.
The company emphasized transparency, noting that paying ransomware groups despite law enforcement warnings was necessary to protect student data. However, past cases show hackers often retain stolen data even after payment. Shiny Hunters has a history of targeting organizations, including a prior breach of Instructure in September 2025, and is believed to operate through encrypted chats to negotiate payments.
The attack left students scrambling, with some universities postponing exams to recover lost work. Shiny Hunters declined to comment on the disruption caused.
Source: https://www.bbc.com/news/articles/cdepzg83x87o
Mississippi State University cybersecurity rating report: https://www.rankiteo.com/company/mississippi-state-university
Instructure cybersecurity rating report: https://www.rankiteo.com/company/instructure-inc-
"id": "MISINS1778603211",
"linkid": "mississippi-state-university, instructure-inc-",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '9,000 institutions (students '
'and universities)',
'industry': 'Education Technology',
'location': 'US',
'name': 'Instructure (Canvas)',
'type': 'EdTech Company'}],
'customer_advisories': 'Assurance of no further extortion of customers',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely included',
'sensitivity_of_data': 'High (personally identifiable '
'information likely included)',
'type_of_data_compromised': 'Student and university data'},
'date_detected': '2026-04-29',
'description': 'Instructure, the provider of the widely used academic '
'platform Canvas, confirmed it paid a ransom to the cyber '
'extortion group Shiny Hunters to prevent the release of '
'stolen data. The breach disrupted exams and operations at an '
'estimated 9,000 institutions across the US, Canada, '
'Australia, and the UK. Shiny Hunters threatened to publish '
'3.5 terabytes of student and university data unless paid in '
'Bitcoin. Instructure assured no further extortion of '
'customers after the payment.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'ransom payment and data breach',
'data_compromised': '3.5 terabytes of student and university data',
'identity_theft_risk': 'High (student data exposed)',
'operational_impact': 'Disrupted exams and operations at 9,000 '
'institutions',
'systems_affected': 'Canvas academic platform'},
'motivation': 'Extortion',
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Undisclosed (paid in Bitcoin)',
'ransom_paid': 'Yes'},
'references': [{'source': 'Incident report'}],
'response': {'communication_strategy': 'Transparency about ransom payment and '
'data protection measures'},
'threat_actor': 'Shiny Hunters',
'title': 'Canvas Breach: Company Pays Shiny Hunters to Delete Stolen Student '
'Data',
'type': 'Ransomware'}