Canvas owner Instructure confirmed it reached an agreement with the ShinyHunters hacking group after attackers claimed to steal data tied to hundreds of millions of students and educators.
“With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident,” according to a statement posted Monday by Steve Daly, CEO of Instructure.
Daly said the stolen data was returned, digitally destroyed and would not be used to extort customers. The company said schools should not engage with the attackers. Instructure has not publicly stated what it gave in exchange.
The incident surfaced on May 1 after attackers briefly defaced Canvas login pages with extortion messages claiming they had stolen roughly 3.65 terabytes of data tied to nearly 9,000 schools and roughly 275 million users. The group threatened to begin leaking data May 12 if Instructure failed to respond.
Compromised information included usernames, email addresses, enrollment records, course information and private messages exchanged between students and teachers, Instructure said.
Cooperating with attackers is frowned upon by ransomware response experts and incident response experts who view “data return” agreements as encouragement to attackers for future extortion attempts. They note taking the word of a criminal that stolen data was deleted is highly unreliable.
“The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity,” the FBI states.
Chainalysis found ransomware payments exceeded $813 million globally in 2024 despite increased law enforcement pressure. Sophos reports 49% of organizations hit by ransomware paid at least some form of ransom demand to recover data or end extortion pressure.
ShinyHunters claimed the breach affected data tied to roughly 275 million users across nearly 9,000 institutions. The prolific threat group has a reputation for large-scale data theft and extortion operations versus encryption-focused ransomware campaigns.
The Justice Department’s actions against the ShinyHunters hacking group have culminated in the successful prosecution of key members, most notably French national Sebastien Raoult. Active primarily between 2020 and 2021, the group compromised dozens of companies worldwide, stealing and selling proprietary data on the dark web. Following his extradition from Morocco in early 2023, Raoult pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. In January 2024, he was sentenced to three years in prison and ordered to pay over $5 million in restitution, marking a significant milestone in the DOJ’s ongoing efforts to dismantle the infrastructure of this notorious international cybercriminal crew.
The education sector has become an increasingly popular ransomware and extortion target. Schools often operate with limited security staffing, sprawling user populations and large volumes of sensitive personal information making them easy prey for adversaries.
The breach adds to broader questions about EdTech security maturity. In a September 2025 report, Sophos found that 49% of higher education ransomware victims blamed “unknown security gaps” as the top root cause, while lower education cited “lack of expertise” and “limited capacity to respond” at 42% each. Center for Internet Security reported that 82% of reporting K-12 schools experienced cyber threat impacts between July 2023 and December 2024, including 8,100 confirmed cybersecurity incidents.
Recent high-profile attacks include the Los Angeles Unified School District, Minneapolis Public Schools and education software providers including PowerSchool have demonstrated how downstream SaaS compromises can ripple across entire school systems.
Instructure’s Daly expressed regret for how it handled the situation last week, posting a statement Monday:
“Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward.”
Image by Nikolay Georgiev from Pixabay
