Instructure Pays Ransom to ShinyHunters to Prevent Canvas Data Leak

Canvas, Instructure’s learning management platform, serves more than 30 million active users across over 8,000 educational institutions worldwide. On April 25, 2026, ShinyHunters claimed responsibility for a breach that allegedly exfiltrated 3.65 TB of data linked to about 275 million records from roughly 8,900 schools. The stolen information included names, email addresses, student IDs and internal communications.

Instructure detected unauthorized activity on April 29, revoked the attacker’s access, launched an investigation and engaged external forensic experts. After an initial negotiation deadline passed, ShinyHunters defaced Canvas login portals at about 330 institutions on May 7 and began direct extortion of individual schools, setting a May 12 deadline. Instructure said it reached an agreement with the threat actor to prevent the data’s release; the arrangement reportedly included the return of the stolen data, proof of its destruction, assurances that affected customers would not be further extorted and a pledge that institutions would not need to negotiate directly with the attackers. The company did not disclose payment terms but acknowledged customer concerns and said protecting its community remains a top priority. Investigators traced the breach to a vulnerability in the Free‑For‑Teacher accounts, a free version of Canvas for individual educators, which Instructure temporarily shut down while applying fixes.

The incident highlights the risk posed by exposed free‑tier services that can serve as entry points for attackers targeting larger institutional environments. Paying a ransom does not guarantee data deletion, as attackers may retain copies, and it may encourage future extortion attempts. For affected schools, the breach underscores the need to monitor third‑party platform security and to have incident‑response plans that address data‑theft scenarios. Regulators may scrutinize how ed‑tech vendors handle extortion demands and whether payment practices align with emerging guidance on ransomware.

Security teams should immediately patch the Free‑For‑Teacher component or disable it if not required, following Instructure’s advisory. Enforce multi‑factor authentication on all Canvas admin and user accounts to mitigate credential‑based abuse (MITRE ATT&CK T1078). Monitor for anomalous login patterns and unauthorized portal changes using detection rules for T1190 (Exploit Public‑Facing Application) and T1566 (Phishing). Review and restrict public‑facing APIs, apply least‑privilege principles, and ensure regular backups are stored offline and encrypted. Finally, test incident‑response playbooks that include ransom‑negotiation decision frameworks and communication templates for stakeholders.