Educational technology giant Instructure, the company behind the popular Canvas learning management system, has reached an agreement with the cybercrime group ShinyHunters to prevent the leak of approximately 3.65 terabytes of sensitive data. The breach, which impacted nearly 9,000 educational institutions, saw threat actors gain access to user information through a vulnerability in Instructure's Free-for-Teacher environment.

Key Takeaways

• Instructure paid a ransom to ShinyHunters to prevent the leak of 3.65TB of Canvas data.

• The breach affected nearly 9,000 educational organizations.

• Usernames, email addresses, course names, and messages were compromised, but not course content or credentials.

• Instructure has temporarily shut down Free-for-Teacher accounts and implemented enhanced security measures.

The Ransom Agreement

Instructure confirmed on Monday that it had reached an "agreement" with the unauthorized actor responsible for the breach. This decision was driven by concerns over the potential publication of the stolen data, which included approximately 275 million records. The company stated that the agreement covers all impacted customers, and the pilfered data has been returned, with digital confirmation of its destruction.

"While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," Instructure said in a statement. The company also indicated it has been assured that its customers will not face separate extortion attempts related to this incident.

Details of the Breach

The incident began late last month when ShinyHunters exploited an unspecified vulnerability related to "support tickets" within Instructure's Free-for-Teacher environment. This allowed them to access and exfiltrate a significant volume of data. A second wave of activity was detected on May 7, 2026, where Canvas login portals at around 330 institutions were defaced with extortion messages, setting a deadline of May 12, 2026, for negotiations.

The compromised data includes user information such as usernames, email addresses, course names, enrollment details, and messages. Instructure has stressed that critical data like course content, student submissions, and user credentials were not affected.

Instructure's Response and Security Measures

In response to the breach, Instructure has taken immediate steps to bolster its security. The Free-for-Teacher accounts have been temporarily disabled. The company has revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation processes, and deployed additional security controls. Instructure is also collaborating with expert vendors to conduct a thorough forensic analysis and enhance its overall cybersecurity posture.

Security experts warn that the exfiltrated data could be used by threat actors to launch targeted phishing campaigns against students, staff, and parents. Impersonating school administrators or IT support personnel are potential follow-on attack vectors. Institutions are advised to issue immediate phishing advisories and direct communications to their communities.

Sources

• Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak, The Hacker News.