Instructure says it reached an agreement with ShinyHunters, the group behind last week's Canvas cyberattack, after the hackers escalated their extortion campaign by defacing the platform's login pages and taking it offline during finals season.
What happened
After ShinyHunters set an initial May 6 ransom deadline that Instructure did not publicly respond to, the hackers defaced Canvas login pages at roughly 330 institutions and pivoted to school-by-school extortion, ultimately taking the platform offline on May 8. By Friday, Instructure restored Canvas to full operation. On Monday, the company announced it had reached a settlement with the attackers, stating that "the data was returned to us" and that it received "digital confirmation of data destruction (shred logs)." The company added that no Instructure customers would face further extortion as a result of the incident. Instructure CEO Steve Daly confirmed the attack exposed usernames, email addresses, course names, enrollment information, and messages, but insisted course content, submissions, and credentials were not compromised. The House Homeland Security Committee has since sent a letter requesting a briefing with Daly or a senior Instructure leader by May 21.
The backstory
On May 1, Instructure acknowledged a "cybersecurity incident perpetrated by a criminal threat actor." By May 2, the company said it had contained the situation and disclosed that names, email addresses, student ID numbers, and user messages may have been compromised. ShinyHunters then sent a ransom letter to Instructure on May 3, claiming it held data from approximately 9,000 schools and warning that a May 6 deadline was approaching. Instructure did not publicly respond to those demands.
When the deadline passed without engagement, ShinyHunters escalated by defacing Canvas login pages at roughly 330 institutions, pivoting to school-by-school extortion, and setting a new deadline of May 12. On May 8, Canvas went offline mid-day. The hackers characterized the disruption as retaliation, stating that instead of contacting them to resolve the situation, Instructure "ignored us and did some 'security patches.'" The outage forced universities including Harvard, Columbia, Georgetown, and Penn State to cancel or delay exams and find alternative arrangements during finals season.
What was said
Instructure CEO Steve Daly apologized publicly over the weekend,"Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that."
On the settlement, Instructure said, "While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible."
Cynthia Kaiser of Halcyon's Ransomware Research Center told CyberScoop, "By compromising a shared platform used across thousands of schools, ShinyHunters hit the entire education sector in one move... Among 2026 incidents against critical infrastructure, this is at or near the top for education-sector impact."
Why it matters
This attack exposed a vulnerability in how ed-tech platforms sit at the center of academic infrastructure. Canvas is not just a repository for personal data, it is a key system used by modern universities. When it went down during finals, it didn't just expose student IDs and email addresses; it disrupted the actual delivery of education at scale.
What's more, Instructure's response shows the position ed-tech companies face, pay and you validate the extortion model, potentially inviting future attacks. On the other hand, don't pay and you risk a data dump that turns millions of student records into phishing fodder. Lastly, congressional attention means that policymakers will begin to treat third-party education platforms as critical infrastructure, which has implications for how vendors like Instructure will be expected to respond, communicate, and harden their systems in the future.
The bottom line
Instructure says Canvas is safe and fully operational. Universities and school districts should audit what data they share with third-party LMS platforms, build LMS-outage contingency plans before the next incident and treat phishing attempts exploiting this breach as an active, ongoing threat. Students and faculty should change Canvas passwords and watch for emails impersonating Canvas or their institution.
FAQs
Did Instructure pay the ransom?
Instructure has not confirmed paying a ransom, only stating that it reached an "agreement" that resulted in the data being returned and digital confirmation of its destruction.
Can ShinyHunters be trusted to have deleted the data?
Cybersecurity experts warn that threat actors cannot be reliably trusted to destroy stolen data, even after providing shred logs as proof.
Are students at risk of identity theft?
Exposed information like names, email addresses, and student IDs can be used to craft convincing phishing attacks, so students should remain vigilant and monitor for suspicious communications.
Will Instructure face any legal consequences?
The House Homeland Security Committee has already requested a briefing with Instructure leadership, signaling potential regulatory and legal scrutiny ahead.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
