Instructure Strikes Deal to Recover 275 Million Canvas Records as ShinyHunters Drops Extortion Threat
Updated
Updated · The New York Times · May 12
Instructure Strikes Deal to Recover 275 Million Canvas Records as ShinyHunters Drops Extortion Threat
8 articles · Updated · The New York Times · May 12
Instructure said it reached an agreement with ShinyHunters to return stolen Canvas data and destroy remaining copies, adding that customers were told they would not face extortion from the theft.
275 million users at nearly 9,000 schools were claimed by the hackers to be affected, with compromised data including usernames, email addresses, course names, enrollment details and private messages.
Canvas went offline for hours after the attack, which Instructure said followed unauthorized activity detected on April 29 and again on May 7; the company notified the FBI, CISA and international partners.
May 12 had been the hackers' leak deadline after a ransom note threatened to publish data, but Instructure did not say what it gave in exchange, and the FBI generally advises against paying ransom.
ShinyHunters, linked to major data-theft campaigns including Ticketmaster in 2024, targeted a platform used by about half of North American colleges and universities, underscoring the risk of centralized education systems.
By paying the hackers, did Instructure protect its users or just encourage more large-scale cyberattacks against the education sector?
With 41% of colleges using Canvas, is the entire US higher education system too reliant on a single, vulnerable technology platform?
Instructure paid the ransom, but can 275 million users trust that their stolen data has been permanently deleted from the dark web?
The 2026 Canvas Breach: How the ShinyHunters Hack Exposed Data from 8,809 Schools and Shook Global EdTech Security
Overview
In early May 2026, ShinyHunters launched a cyberattack on Instructure’s Canvas learning system, exploiting a vulnerability and exposing user data from thousands of educational institutions worldwide. After detecting unauthorized activity on May 1, Instructure confirmed the breach and began working with forensic experts and law enforcement, including the FBI and CISA. The attackers set and then extended a ransom deadline, while users faced risks like targeted phishing due to the exposed data. The incident disrupted academic activities during finals, highlighted the dangers of relying on a single platform, and raised urgent questions about EdTech security and institutional preparedness.