Instructure Pays Ransom to Recover Data of 275 Million Canvas Users

Context Instructure’s Canvas learning management system serves 41% of higher education institutions in North America. Over a week and a half, ShinyHunters breached Canvas twice, stealing names, email addresses, and student ID numbers, and threatening to leak the data unless a ransom was paid.

Key Facts The first breach occurred early May; Canvas was restored by May 5 after Instructure applied security patches. A second breach followed on May 8, locking users out again and displaying a ransom note from ShinyHunters with a May 12 deadline. Instructure paid the ransom on May 11, receiving digital confirmation that the stolen data had been destroyed. The company said the agreement covers all impacted customers and that individual institutions need not negotiate directly with the attackers.

What It Means The incident highlights the vulnerability of widely used ed‑tech platforms to double‑extortion ransomware. While data was returned, the episode erodes trust and may prompt institutions to reassess third‑party risk management. Financial terms were not disclosed, but ransom payments often encourage further criminal targeting of the education sector.

Mitigations Enforce multi‑factor authentication for all administrative and user accounts. Monitor for anomalous login attempts and privilege escalation (MITRE ATT&CK T1078). Apply vendor‑provided patches promptly and maintain an asset inventory to detect unmanaged systems. Keep offline, encrypted backups of critical data and test restoration regularly. Deploy network segmentation to limit lateral movement (T1021). Use threat‑intelligence feeds to block known ShinyHunters indicators of compromise.

Watch for any further communications from ShinyHunters on underground forums or signs of the leaked data surfacing, which would indicate the extortion deal failed.