Instructure pays ransom after second Canvas cyberattack threatened data leak

Instructure, the Utah-based education technology company behind the Canvas learning management system, said it reached an agreement with the cybercrime group ShinyHunters following two cyberattacks that compromised data linked to thousands of schools and universities worldwide.

The company said the agreement resulted in the return and destruction of data associated with roughly 275 million users across more than 8,800 institutions. Instructure said it received digital “shred logs” confirming the deletion of the stolen information and was assured that neither the company nor its customers would face additional extortion demands tied to the incident. Financial terms of the agreement were not disclosed.

Canvas, one of the most widely used learning management systems in higher education, is used by approximately 41 percent of higher education institutions in North America. The platform supports more than 30 million active users globally.

The attacks unfolded over the past several weeks, beginning with a breach that resulted in the theft of approximately 3.65 terabytes of data. A second wave of unauthorized activity was detected on May 7, when Canvas login portals at roughly 330 institutions were defaced with extortion messages demanding payment before May 12. Institutions affected by the disruptions included Harvard University, Princeton University, Columbia University, Georgetown University, and multiple school districts across more than a dozen states.

Instructure said the attackers exploited an unspecified vulnerability connected to support tickets in the company’s Free-for-Teacher environment. The breach exposed usernames, email addresses, enrollment information, course names, and internal messages. The company said course content, assignment submissions, and login credentials were not compromised.

Following the attacks, Instructure temporarily shut down its Free-for-Teacher accounts and implemented additional security measures, including revoking privileged credentials and access tokens, rotating internal keys, restricting token creation pathways, and deploying enhanced security controls. The company said forensic specialists and cybersecurity vendors are assisting with the ongoing investigation and infrastructure review.

The FBI acknowledged the widespread disruptions affecting schools and universities nationwide and deployed personnel across multiple states to assist impacted institutions. Federal authorities have previously advised organizations against paying ransomware demands.

In a message to customers, Instructure CEO Steve Daly apologized for communication shortcomings during the incident response and acknowledged disruptions experienced by schools during finals week. The company also announced plans to hold an online briefing with customers to explain the incident and outline steps being taken to strengthen security protections.