Instructure, the education technology company behind the popular Canvas learning management system, has reached an “agreement” with the ShinyHunters extortion group to stop stolen data from a recent breach from being leaked online.

The company says more than 30 million educators and students use Canvas across over 8,000 schools and universities worldwide. In a statement on Tuesday, Instructure said the cybercrime group had also returned the stolen data and provided shred logs showing it had been destroyed.

Instructure said it understands how unsettling such incidents can be and that protecting its community remains its top priority. The company added that, because of that responsibility, it reached an agreement with the unauthorized actor involved in the incident.

According to Instructure, no affected customers will be publicly or privately extorted because of the breach. The company also said the agreement applies to all impacted Instructure customers, meaning individual schools, universities, or users do not need to contact the threat actor separately.

However, law enforcement agencies, including the FBI, have repeatedly warned that paying a ransom or reaching a deal with cybercriminals does not guarantee that stolen data will not later be sold, leaked, or used for further extortion attempts.

Instructure said its leadership will share more details about the incident and the steps it has taken to strengthen its systems during a webinar scheduled for May 13.

ShinyHunters previously claimed responsibility for the breach and said it had stolen more than 3.6TB of uncompressed data. The company later confirmed that data had been stolen during the cyberattack.

READ
Google Helps Dismantle NetNut Botnet That Hijacked Millions of Android Devices

Instructure told BleepingComputer that ShinyHunters exploited a security issue in the Free-for-Teacher environment, a free and limited version of Canvas LMS designed for individual educators. The attackers used that issue to steal data from the platform.

The cybercrime group also hacked Instructure again on May 7 by using the same vulnerability from the first intrusion. During that attack, the group defaced Canvas login portals and left an extortion message, warning that Instructure and its customers had until May 12 to begin ransom negotiations.

Although Instructure has not shared full technical details about the breach and defacements, BleepingComputer reported that the attackers exploited multiple cross-site scripting vulnerabilities. ShinyHunters allegedly injected malicious JavaScript into Canvas user-generated content features, which allowed them to obtain authenticated admin sessions and perform privileged actions.

Instructure said the unauthorized actor made changes to pages that appeared when some students and teachers were logged into Canvas. The company said Canvas has since been restored and is fully back online. It also advised customers to continue monitoring their Canvas environments, integrations, and administrative activity.

Following the incident, Instructure temporarily shut down Free-for-Teacher accounts while it works to fix the security issues and prevent similar attacks in the future.

This is not the first time Instructure has dealt with a breach linked to ShinyHunters. In September 2025, the company disclosed another incident, also claimed by the group, in which attackers accessed data from its Salesforce instance.


Buy ExpressVPN with PayPal or Credit Card
READ
Hackers Launch 81 Million Microsoft 365 Login Attempts in Massive Password Spraying Campaign

ShinyHunters has also recently claimed responsibility for breaches involving several major organizations, including Google, Cisco, PornHub, the European Commission, Match Group, Rockstar Games, ADT, Vimeo, McGraw-Hill, Medtronic, and Zara.

Advertisement