Instructure Pays ShinyHunters to Prevent Leak of 3.5 TB Student Data

TL;DR: Instructure confirmed it reached an agreement with the ShinyHunters hacking group to prevent the release of 3.5 terabytes of student data, saying no customers will be extorted and the stolen information has been returned.

Context: Last week Canvas users noticed a brief outage after ShinyHunters claimed responsibility for a breach and posted screenshots of allegedly stolen data on dark web forums. The group said it had accessed customer information stored in Instructure's systems and demanded a settlement to avoid publishing the full dataset. Instructure's statement avoided the word "ransom" but described the outcome as a deal that returned the data.

Key Facts: The attackers allegedly exfiltrated 3.5 TB of data, a volume that could hold hundreds of millions of records including names, email addresses, grades, financial aid details, and health information. ShinyHunters is known for prior intrusions at Microsoft, AT&T, and Ticketmaster and often uses phishing or exploited VPN credentials to gain initial access, then moves laterally using legitimate admin tools (MITRE ATT&CK T1078, T1059). Instructure has not disclosed the specific vulnerability exploited, but the breach triggered a temporary service disruption and prompted the company to engage external incident responders.

What It Means: By agreeing to the hackers' demand, Instructure joins a growing list of firms that have paid to keep data private, a practice discouraged by the FBI and CISA because it funds criminal enterprises and may encourage repeat attacks. The decision also raises questions about compliance with student-privacy laws such as FERPA, which require institutions to protect educational records. Universities and school districts that rely on Canvas must now trust the vendor's claim that the data has been destroyed, a claim that cannot be independently verified.

Mitigations: Security teams should enforce multi-factor authentication on all remote access points, review and harden VPN configurations, and monitor for anomalous admin tool usage (e.g., unexpected PowerShell or WMI calls). Apply the latest patches for known VPN vulnerabilities (CVE-2023-27997, CVE-2022-22965) and enable logging of authentication attempts to detect credential-stuffing. Deploy detection rules for large outbound transfers (e.g., >10 GB) and consider data-loss-prevention tools that can block exfiltration of sensitive student records. Finally, review third-party risk contracts to include clauses that require proof of data deletion after any incident.

What to watch next: Whether any of the purported 3.5 TB resurfaces online, and how regulators and educational institutions respond to Instructure's handling of the breach.