Instructure Pays Ransom to Resolve Canvas Data Breach Affecting 275 Million Users

What happened

Instructure has paid a ransom to ShinyHunters, the extortion group behind two separate breaches of its Canvas learning management system, reaching a deal one day before the May 12 deadline the hackers had imposed. The company announced Monday night that it received digital confirmation of data destruction in the form of shred logs and assurance that no Instructure customers will be extorted as a result of this incident, publicly or otherwise. The monetary value of the ransom was not disclosed.

The agreement covers data belonging to approximately 275 million users across more than 8,800 institutions, including names, email addresses, student ID numbers, and what ShinyHunters described as billions of private messages between students and teachers. Instructure stated that individual institutions have no need to engage with ShinyHunters directly, as the agreement covers all impacted customers.

The breach unfolded in two phases. ShinyHunters first contacted Instructure on May 3 with a ransom demand and a deadline of May 6. Instructure did not engage and instead implemented security patches, restoring Canvas to full operation by May 5. ShinyHunters then defaced Canvas login portals at approximately 330 institutions on May 8, blocking access for students and faculty during final exam period, and set a new May 12 deadline. Instructure CEO Steve Daly acknowledged the company’s communication failures during the first phase and pledged a more transparent approach going forward. The company opened negotiations with the hackers ahead of the May 12 deadline and reached the settlement by Monday afternoon, with Canvas environments confirmed as available.

ShinyHunters has also been linked to recent data breaches at the University of Pennsylvania, Princeton, and Harvard.

Who is affected

Approximately 275 million students, teachers, and staff across more than 8,800 higher education and K-12 institutions had their data compromised. While Instructure has received confirmation of data destruction and a commitment against future extortion, the limitations of such assurances from criminal actors mean that the actual disposition of the data cannot be independently verified.

Why CISOs should care

The Instructure case will be studied as a case study in ransom decision-making under educational sector pressure. The company’s initial refusal to engage prompted a second, more disruptive attack timed to coincide with final exams, a period of maximum operational sensitivity for higher education institutions. The escalation from data theft to portal defacement to exam disruption followed a clear pattern of pressure application designed to force engagement.

The outcome also illustrates the fundamental limitation of ransom payments as a resolution mechanism. Instructure received shred logs and a promise, neither of which constitutes verifiable proof of destruction. For security leaders advising boards on ransom policy, this case demonstrates both the pressure dynamics that drive payment decisions and the inherent uncertainty of outcomes even when payment is made.

3 practical actions

Brief institutional leadership on the limitations of ransom payment as a data recovery mechanism: Shred logs and criminal assurances are not independently verifiable. Institutions and organizations affected by this breach should treat the data as potentially still in circulation and adjust their risk posture accordingly, including monitoring for downstream use of student and staff data in phishing and social engineering campaigns.

Review communication and escalation protocols for major vendor security incidents during operationally critical periods: The exam period timing amplified the operational impact of the second Canvas outage. Ensure your incident response and business continuity plans include contingencies for critical vendor outages during peak operational windows, with pre-approved communication templates and escalation paths that do not depend on the vendor’s own communication timeline.

Assess dependency risk on single-vendor LMS infrastructure and develop contingency access procedures: The Canvas outages affected institutions that had no alternative path for course delivery or assessment submission. Review whether your institution’s critical academic workflows have offline or alternative delivery options that can be activated when primary LMS access is unavailable for an extended period.