Instructure Pays Ransom to ShinyHunters After Canvas Breach

Executive Summary

Education technology firm Instructure paid an undisclosed ransom to the ShinyHunters cybercriminal group after two intrusions into its Canvas learning management platform compromised data from approximately 9,000 customer institutions. The decision to pay came hours after the U.S. House Homeland Security Committee announced it would investigate the incident, which left millions of students unable to access course materials during final exam periods. Instructure stated that the agreement includes digital confirmation of data destruction and that no individual customer will be extorted as a result of the breach, according to a company disclosure published late Monday.

Technical Analysis

ShinyHunters breached Instructure's Canvas platform on two separate occasions within a two-week window. The first intrusion occurred on May 1, 2026, during which the group exfiltrated troves of sensitive data including names, email addresses, student IDs, and messages between students and professors. Instructure initially claimed the incident was contained on May 2, according to a letter from Rep. Andrew Garbarino (R-NY) to Instructure CEO Steve Daly. However, on May 7, ShinyHunters defaced the Canvas platform with a ransom message visible to users logging into the system, indicating a second successful intrusion.

The recurrence of the breach within days of the initial disclosure prompted Garbarino to question Instructure's incident response capabilities. In his letter, Garbarino wrote that the "gap between Instructure's public characterization of this event and the scale suggested by the attacker's own claims warrants a full and transparent accounting." He further noted that the company's "apparent failure to fully remediate the underlying vulnerabilities during that window" raises serious questions about its obligations to affected institutions.

Instructure temporarily shut down the Canvas platform following the second intrusion, disrupting access for thousands of universities and K-12 schools that rely on the system for course materials and communication. The company has since restored service and CEO Steve Daly published a letter to customers stating that Canvas is currently safe to use. Instructure has retained CrowdStrike and an unnamed second cybersecurity firm to conduct forensic analysis and harden its environment.

ShinyHunters demanded ransoms from individual schools and threatened to leak the stolen data on May 12. As of Monday, the group's leak site was taken offline, with several cybersecurity experts suggesting potential FBI action targeting the group. The FBI confirmed to Recorded Future News that it is aware of the disruption and advised students not to respond to direct payment demands from the hackers, noting that receiving messages from ShinyHunters "does not necessarily mean your personal information has been compromised."

Mitigations & Recommendations

Educational institutions using Canvas should await formal guidance from Instructure regarding the scope of the incident and the nature of any affected data, as advised by the FBI. Students and faculty who receive direct communications from ShinyHunters demanding payment should not respond and should report such contacts to their institution's IT security team and local FBI field office. Instructure has stated that any school not already contacted by the company was not impacted by the cyberattack. Organizations should review their incident response procedures to ensure that initial containment measures include complete remediation of the root cause to prevent follow-on intrusions, as the timeline of this incident demonstrates the risk of incomplete remediation.