Instructure Pays Ransom to ShinyHunters to Halt Canvas Data Leak

TL;DR: Instructure paid a ransom to the ShinyHunters group to prevent the release of 3.65 terabytes of Canvas data stolen from nearly 9,000 schools and universities. The deal followed a second extortion wave that gave the company a May 12, 2026 deadline to avoid a public leak.

Context Instructure, the Utah‑based maker of the Canvas learning management system, disclosed on Monday that it reached an agreement with the unauthorized actor behind a breach first detected in late April 2026. The attackers, linked to the ShinyHunters extortion crew, exploited an unspecified vulnerability in the Free‑for‑Teacher support‑ticket system to gain initial access. They exfiltrated about 275 million records containing usernames, email addresses, course names, enrollment information, and internal messages, while course content, submissions, and login credentials remained untouched.

Key Facts The breach resulted in the theft of 3.65 terabytes of data, affecting roughly 9,000 organizations worldwide. On May 7, 2026, a second wave of unauthorized activity defaced Canvas login portals at about 330 institutions with extortion messages, setting a May 12, 2026 deadline for negotiation or public release. Instructure stated that paying the ransom was intended to give customers peace of mind despite uncertainty about cyber‑criminal behavior, and that the agreement covered all impacted customers, included the return of the stolen data, and provided digital confirmation of its destruction.

What It Means The incident highlights how extortion groups increasingly target educational technology platforms to leverage personal data for follow‑on phishing and impersonation attacks. Although no credentials or coursework were exposed, the stolen personal details enable threat actors to craft convincing social‑engineering campaigns against students, staff, and parents. Instructure’s decision to pay a ransom deviates from the common recommendation against such payments, but the company argues it was taken to protect its user base.

Mitigations Organizations using Canvas should immediately review Free‑for‑Teacher account activity and enforce multi‑factor authentication for all administrative roles. Security teams must rotate any tokens or credentials that may have been issued via the support‑ticket pathway and monitor for anomalous ticket creation or privileged access patterns. Applying the principle of least privilege, disabling unused support‑ticket APIs, and implementing strict input validation can reduce the risk of similar exploitation. Defenders should also deploy detection rules for MITRE ATT&CK technique T1190 (Exploit Public‑Facing Application) and T1078 (Valid Accounts) to catch abuse of web‑application interfaces.

What to watch next Observers will monitor whether any of the returned data resurfaces on underground markets and how institutions adjust their third‑party risk management for ed‑tech vendors in the coming months.