Canvas Hack: Instructure Agrees to Ransom Deal in Exchange for Stolen Data

Data stolen in last week’s widespread cyberattack on an educational platform that affected students and schools across the Bay Area and the country has been returned, the targeted company said Monday.

Instructure, the Salt Lake City-based company that operates the widely used educational platform Canvas, said it agreed to a deal with the hacker group responsible in an effort “to take every step within our control to give customers additional peace of mind.”

The company didn’t provide details about the deal.

A cybersecurity expert, however, warned the deal could create a “dangerous feedback loop” showing bad actors that successful hacks will be rewarded.

“Even if organizations believe they are ‘resolving’ the immediate crisis, it reinforces the economic incentive structure behind cyber extortion and signals to threat actors that targeting large education platforms, or any critical service, can be profitable,” said Cliff Steinhauer, the director of information security and engagement at the National Cybersecurity Alliance.

He also said it normalizes payment as a response strategy to hacks, which can fuel further incidents.

Instructure announced Monday that it had reached an agreement with the “unauthorized actor” involved in the breach that last week affected customers of Canvas, which students and teachers across the country use to view and submit assignments and learning materials, take exams, participate in class discussions and more.

A black-hat hacker group called ShinyHunters has publicly taken credit for the incident.

On May 7, Instructure took Canvas offline for hours after a group claiming to be ShinyHunters posted pop-up messages viewed by many students and teachers who tried to access the program.

The company said that hackers had exploited an issue related to its “Free-for-Teacher” program, a demo program for educators whose schools aren’t Canvas users. That program has been temporarily suspended while the company does a full security review.

They restored access to Canvas on Friday, and many local school systems said they brought the software back online after completing their own safety checks.

Instructure said it first became aware of unauthorized activity in Canvas on April 29 and revoked the unauthorized party’s access. The following week, it became aware of additional activities tied to the same incident that allowed the hacker group to make changes to the pages that appeared when some students and teachers opened the app.

Many opened their Canvas applications to a message allegedly from ShinyHunters, saying that Instructure had until Tuesday to prevent the release of compromised data.

“Please consult with a cyber advisory firm and contact us privately … to negotiate a settlement,” the message, posted by various university publications, reads. “You have till the end of the day by 12 May 2026 before everything is leaked.”

The company said it discovered that hackers were able to access usernames, email addresses, course names, enrollment information and messages from the program’s customers. What it calls “core learning data,” like credentials, course content and assignment submissions, was not compromised, it said in a statement.

Instructure said in its statement on Monday that as a result of its agreement, it had received digital confirmation that it had been destroyed.

“We have been informed that no Instructure customers will be recorded as a result of this incident,” the company wrote.

Still, cybersecurity expert Steinhauer said there’s no reliable way to verify that the data has been deleted.

“History shows that data is often retained, resold or used in future extortion attempts,” he said.

If that is the case, Steinhauer added, the company might find itself at risk of a longer-term exposure problem, “with no additional leverage to prevent it.”