Instructure Admits Deal with ShinyHunters After Canvas Breach Exposes 275 Million Records

Context On April 29, attackers accessed Canvas through weakly protected Free‑For‑Teacher accounts, a tactic classified as MITRE ATT&CK T1078 (Valid Accounts). They exfiltrated email addresses, student IDs, and private messages that could include disability accommodation requests or harassment complaints. Instructure said there is no evidence that Social Security numbers, dates of birth, or passwords were taken. On May 7 the hackers began altering Canvas pages, prompting Instructure to shut the site down. The outage forced universities such as Baylor to reschedule final exams and adjust dormitory move‑out plans. Service was partially restored later that day and declared fully functional soon after.

Key Facts - ShinyHunters claimed to have stolen 275 million individual records from almost 9,000 schools worldwide and threatened to publish them unless paid. - Instructure announced on Tuesday that it had reached an agreement with the hackers to delete the stolen data, without revealing any financial terms. - A nursing student at Baylor University, identified as Jane Doe, filed a putative class‑action in the U.S. District Court in Waco, alleging negligence and seeking damages exceeding $5 million. - The lawsuit notes that compromised messages may contain sensitive personal information, raising privacy concerns beyond basic identifiers. - Former FBI Cyber Division deputy Cynthia Kaiser warned that paying a ransom does not guarantee data destruction and may encourage further extortion. - Since the breach, at least two dozen federal lawsuits have been filed against Instructure or related entities.

What It Means The incident highlights the risk of relying on legacy authentication methods for educational technology platforms. Defenders should: - Enforce multi‑factor authentication on all administrative and teacher accounts (CISA Advisory AA23-001A). - Disable or tightly restrict Free‑For‑Teacher accounts unless absolutely required, and monitor for anomalous login patterns (MITRE T1078 detection). - Implement logging and alerting for unexpected page edits or mass data exports (MITRE T1041 – Exfiltration Over Web Services). - Review third‑party integrations and OAuth tokens for unauthorized access. - Maintain offline, encrypted backups of critical data to reduce reliance on attacker promises of deletion.

What to watch next: whether independent auditors can verify the claimed deletion of the 275 million records, the progress of the Jane Doe class‑action toward certification, and any further extortion attempts from ShinyHunters or similar groups targeting education technology.