Canvas owner pays hackers to stop data leak from 9,000 schools
Instructure has retrieved stolen data and confirmation of its deletion from the ShinyHunters group, which had threatened to leak records from nearly 9,000 schools. The company declined to say what it gave in exchange.
May 12th 2026 · United States
Instructure, the parent company of Canvas, one of the most widely used learning management systems in education, has reached an agreement with the ShinyHunters hacking group to prevent the release of stolen data from nearly 9,000 schools and universities worldwide. The Utah-based company confirmed on May 11, 2026, that it secured the return of stolen data and proof of deletion from the cybercriminals, along with assurances that no affected customers would face separate extortion attempts. The company did not disclose what, if anything, it provided in exchange for these terms, but the move follows a May 12 deadline set by the attackers after a second wave of attacks on May 7th defaced Canvas login portals at approximately 330 institutions with ransom demands. The breach, which began with unauthorized activity detected on April 29, 2026, exploited a vulnerability in Canvas's Free-for-Teacher environment to exfiltrate approximately 275 million records containing usernames, email addresses, course names, enrollment information, and messages. ShinyHunters claimed responsibility for the attack and threatened to leak "several billions of private messages among students and teachers," demanding a settlement. Instructure emphasized that course content, submissions, and login credentials were not compromised in the incident. The company has reported the breach to the FBI, the Cybersecurity and Infrastructure Security Agency, and other law enforcement agencies, while temporarily shutting down Free-for-Teacher accounts as a precautionary measure. ShinyHunters, a decentralized cybercrime group that emerged around 2020, has been linked to high-profile attacks on organizations including Ticketmaster, Salesforce, and the European Commission's platform. Cybersecurity experts noted that the timing of the attack during exam season when institutions were highly dependent on the platform provided the hackers with significant leverage. Raluca Suca, CEO of Smarttech247, commented that the timing was designed to maximize pressure on the company, though she noted that paying ransoms carries no guarantee of data safety and may mark organizations as valuable targets for future attacks.