Instructure Confirms Deal with Hacker to Delete Stolen Canvas Data

In early May, Instructure took its Canvas learning management system offline after detecting unauthorized access, locking out students and faculty during finals week and affecting gradebooks, course materials, and messaging. The temporary shutdown affected over 20 million active Canvas users worldwide, according to the company’s internal metrics. The company said it worked with expert vendors to conduct a forensic analysis and began hardening its environment.

ShinyHunters publicly claimed responsibility, stating it had exfiltrated student ID numbers, email addresses, names, and platform messages from nearly 9,000 institutions affecting roughly 275 million individuals. The group demanded payment by May 6, later extending the deadline after some institutions engaged in negotiations. Instructure confirmed it reached an agreement with the unauthorized actor, though it did not disclose any payment details. As part of the arrangement, the compromised data was returned and Instructure received shred logs—digital records showing the hacker deleted remaining copies. The company noted there is no absolute guarantee the data is gone forever, but it acted to reduce the risk of public release. No evidence emerged that passwords, dates of birth, government IDs, or financial information were accessed.

The incident highlights the growing trend of ransomware groups targeting education platforms and leveraging stolen personal data for extortion. Organizations should review access controls, enforce multi‑factor authentication, and monitor for anomalous data transfers indicative of exfiltration (MITRE ATT&CK T1041). Implementing data loss prevention tools and encrypting sensitive fields at rest can limit the value of stolen data. Security teams should also maintain offline, immutable backups and test restoration processes regularly. Looking ahead, watch for any further disclosures from ShinyHunters, potential regulatory actions concerning student data privacy, and Instructure’s post‑incident hardening reports.