Instructure, the maker of the popular school information portal Canvas, said Tuesday it has “settled” with hackers who breached its systems twice, stole vast amounts of student and staff data and disrupted thousands of schools that rely on the company’s software.
ShinyHunters, a financially motivated cybercrime group, took credit for the April 29 data breach, claiming to have stolen student and staff data, including personal information, of 275 million people. The hackers said they had breached Canvas, which nearly 9,000 schools use to manage their students’ data and courses.
Hackers last week breached the company for a second time, defacing Canvas login pages on school websites as part of efforts to pressure the company into paying their ransom.
The directive said on his incident page late Monday that as part of the deal, the hackers had provided evidence that the stolen data was destroyed and that Canvas customers would not be extorted.
The company acknowledged that there is “never absolute certainty” when dealing with cybercriminals, but noted that customers should not engage with hackers.
Financial terms of the deal were not disclosed, and Instructure did not say how much it paid the hackers. Instructure spokesman Brian Watkins would not comment beyond the company’s statement or answer questions about the deal when contacted Tuesday.
In a post on its leak site, seen by TechCrunch, ShinyHunters threatened to release the data it stole from Instructure if the company didn’t pay their blackmail demand.
As of Tuesday, the listing had been removed from the ShinyHunters page, indicating that a ransom may have been paid.
A spokesperson for ShinyHunters told TechCrunch: “The data is deleted, it’s gone. The company and [sic] Customers will not be further targeted or contacted for payment by us.”
It’s unclear why Instructure paid the hackers. Governments, including the United States, have long urged victims of cybercrime not to pay ransom to hackers, as this helps cybercriminals profit from their attacks. Security researchers have argued that victims cannot trust the word of malicious hackers – some cybercriminals have been found to keep stolen data despite saying they had deleted it to continue blackmailing their victims.
The Instructure hack mirrors a cyberattack on PowerSchool, which was hit by a massive data breach affecting 70 million students and staff in 2024. PowerSchool, which also makes school information software, paid the hackers to return the stolen data, but several of its customers were later blackmailed by another criminal group that showed the data from the breach had not been destroyed.
the FBI said in a statement last week that he was aware of the systemic disruption affecting schools and educational institutions in the United States. The notice did not name Canvas, but said victims should not “send payment or respond” to the cybercriminals’ demands.
The data stolen from Instructure, some of which has been seen by TechCrunch, includes students’ names, their personal email addresses and messages exchanged between teachers and students, including private and personal information.
On its website, Instructure acknowledged that hackers had breached the company’s systems twice in less than a year, but said the two breaches were “separate events” involving different systems.
Instructure said it is still investigating the breach and validating its findings.
It is unclear who at Instructure oversees or is responsible for cyber security, if not the company’s chief executive, Steve Daly. When contacted by TechCrunch, Instructure would not say whether Daly plans to resign following the data breaches.
Are you a Canvas administrator or a school notified of the breach? Have you received a blackmail request from hackers? We want to hear from you. To contact this reporter securely, please contact using the Signal username zack whittaker.1337.
Updated with response from Instructure.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
