Instructure Pays ShinyHunters to Recover 3.5TB of Stolen Student Data

TL;DR: Instructure confirmed it reached an agreement with the ShinyHunters hacking group to prevent the release of 3.5 terabytes of student data taken from its Canvas platform. The company said the stolen information was returned and that no customers will be extorted as a result.

Context: Last week, Canvas experienced a brief outage after ShinyHunters claimed responsibility for a breach and posted proof of stolen data on dark web forums. The group threatened to publish the full dataset unless a settlement was paid. Instructure avoided the term "ransom" but acknowledged returning the data as part of the deal.

Key Facts: Hackers claimed to have exfiltrated 3.5 TB of information, which could contain hundreds of millions of student records including names, email addresses, and academic details. Instructure stated that none of its customers will be extorted due to the incident and that the stolen data has been returned to them. The breach affected customer information stored in Canvas, though Instructure has not disclosed the exact types of data accessed.

What It Means: Paying threat actors contradicts guidance from the FBI and CISA, which warn that payments fund criminal activity and encourage future attacks. For education technology firms, the decision highlights the tension between protecting student privacy under regulations like FERPA and avoiding incentives for cybercrime. Organizations using Canvas should review their vendor risk contracts and verify that third‑party providers have incident‑response plans that do not rely on payments to attackers.

Mitigations: Defenders should enforce multi‑factor authentication on all administrative accounts, apply the principle of least privilege to data stores, and monitor for large‑volume outbound transfers using tools that detect exfiltration patterns (MITRE ATT&CK T1041). Ensure Canvas integrations are patched and review logs for unauthorized access attempts. Follow Instructure’s security advisories and subscribe to its vulnerability disclosure program.

What to watch next: Observe whether any of the claimed 3.5 TB resurfaces online and whether other EdTech vendors face similar extortion attempts.