Instructure, the edtech giant behind the widely popular Canvas learning management system (LMS), has reached an “agreement” with the ShinyHunters extortion group to prevent the data stolen in a recent breach from being leaked online.
The company says over 30 million educators and students use its Canvas platform across more than 8,000 schools and universities worldwide.
In a Tuesday statement, Instructure said the cybercrime gang also returned the stolen data and provided shred logs confirming its destruction.
“We understand how unsettling situations like this can be, and protecting our community remains our top priority. With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident,” it said.
“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise. This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”
However, as the FBI has repeatedly warned, paying a ransom does not guarantee that threat actors will not also sell the stolen data to other cybercriminals or attempt to extort the victims again.
Instructure added that its leadership will share more information regarding the incident and the measures it has taken to secure its systems against future breach attempts in a May 13 webinar.
ShinyHunters claimed responsibility for the breach and said they stole more than 3.6TB of uncompressed data, after the company confirmed that data had been stolen in the cyberattack.
Instructure confirmed to BleepingComputer that ShinyHunters exploited a security issue in the Free-for-Teacher environment, a free, limited version of Canvas LMS for individual educators, to steal the data.
The cybercrime group also hacked Instructure again on May 7, using the same vulnerability as in the initial intrusion, to deface Canvas login portals and leave an extortion message, warning that the company and its customers had until May 12 to enter negotiations to pay a ransom.
Although the company didn’t share further details on the breach and defacements, BleepingComputer has learned that the attacker exploited multiple cross-site scripting (XSS) vulnerabilities.
ShinyHunters injected malicious JavaScript to exploit Canvas XSS flaws in user-generated content features, which allowed them to obtain authenticated admin sessions and perform privileged actions.
“The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas,” Instructure said. “Canvas has been restored and is fully back online and available for use. [..] We recommend that customers continue normal monitoring of their Canvas environments, integrations, and administrative activity.”
Since then, the company has temporarily shut down Free-For-Teacher accounts and said that it’s working to resolve these security issues to prevent future incidents.
In September 2025, Instructure disclosed another breach, also claimed by ShinyHunters, that allowed attackers to access data in the edtech giant’s Salesforce instance.
Other breaches recently claimed by ShinyHunters include Google, Cisco, PornHub, the European Commission, online dating giant Match Group, Rockstar Games, home security giant ADT, video service Vimeo, edtech giant McGraw-Hill, medical device maker Medtronic, and Spanish fast-fashion retailer Zara.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
