An American education technology company called Instructure, the parent company behind Canvas, announced it had reached an "agreement" with a decentralised cybercrime extortion gang after they broke into their network and warned them that they would publish tens of thousands of school and university-related pieces of data if they didn't pay up.
A Monday update from Utah-based Instructure stated that they had "reached an agreement with the unauthorised actor responsible for this incident," stating they were concerned "about the potential publication of data."
While many companies and individuals may find paying a ransom to cybercriminals to prevent having sensitive data leaked to be a taboo subject, in this case the company stated that due to concerns related to protecting sensitive customer data they decided to do just that. While ensuring all of their affected customers were included in the agreement, they ensured that all of the pilfered data was returned to them, including digital evidence of all data being destroyed. Additionally, they reported that based on information received, none of the company's customers will be individually extorted in connection with the hacking incident.
"While you can never know for certain what actions a cyber criminal will take, we believed it was important to make sure we took each and every action that we could reasonably take to provide customers some additional peace of mind, where possible," stated Instructure.
Additionally, they said they are currently working with various experts and vendors to assist with their forensic investigation, help bolster their cybersecurity position and conduct a thorough review of the data that was accessed during the breach.
This announcement comes as the ShinyHunters extortion gang launched a massive digital assault against Canvas, a very popular online Learning Management System (LMS), near the end of April, which resulted in the theft of approximately 3.65 TB of data. At least 8,980 organisations were affected by this breach.
Even though Instructure originally thought the breach had been contained, a second wave of unauthorised activity connected to the original breach occurred on May 7, 2026, wherein the attackers posted extortion messages onto over 300 different institutions' Canvas login pages and gave Instructure until May 12, 2026, to either agree to pay a ransom or face having all of the stolen data released.
According to reports, hackers appear to have exploited a previously unknown vulnerability concerning "support ticket requests" in its Free-For-Teacher environment in order to gain initial access and steal approximately 275 million records. Each record included users' usernames, email addresses, course titles, student enrolments and message history. Instructure indicated that course content, assignments and students' individual account login credentials were NOT compromised.
As a result of this breach, Instructure has suspended all Free-For-Teacher accounts. They have declined to identify the specific vulnerability that was exploited. However, they indicated they removed privileged user credentials and access tokens for all systems affected by the breach, internally changed all passwords and keys, blocked all new paths to create tokens, and implemented further security measures.
