Instructure Pays Hackers to Delete Canvas Data After ShinyHunters Threatens 9,000 Schools

Canvas is a learning management system used by schools for grades, assignments, and communication. In late April 2024, the platform suffered a breach that exposed student IDs, email addresses, names, and messages. Instructure took the service offline while investigating.

ShinyHunters claimed responsibility, demanding payment to prevent the leak of data affecting about 9,000 schools and 275 million individuals worldwide. The group set an initial deadline of May 6, later extending it as some institutions negotiated.

Instructure confirmed it reached an agreement with the unauthorized actor, though it did not disclose whether a payment was made. The company said it received digital confirmation, in the form of shred logs—cryptographic records proving files were deleted—that the hackers destroyed any remaining copies of the data.

The compromised information included student IDs, email addresses, names, and platform messages. Instructure stated that attackers did not access passwords, birth dates, government IDs, or financial data.

The disruption locked out students and faculty during finals week, affecting institutions such as the University of Kentucky and Fayette County Public Schools, which warned users to watch for phishing attempts using the exposed names and emails.

While the deal may have stopped immediate publication, security experts note that paying ransom does not guarantee data destruction and may encourage further attacks. The incident highlights the risk of relying on a single platform for critical academic functions.

Defenders should enforce multi-factor authentication, which requires a second verification step beyond a password, on all Canvas accounts. They should monitor for unusual data export activity and review third‑party integrations for excessive permissions. Organizations should apply patches for known vulnerabilities and enable logging aligned with MITRE ATT&CK technique T1041—attackers sending stolen data over command‑and‑control channels—to help detect similar behavior.

Organizations should also conduct regular tabletop exercises that simulate ransom demands and test backup restoration processes to reduce reliance on attacker promises.

Observers will watch for any resale of the leaked data on underground markets and for updates from Instructure on its post‑incident hardening efforts.