American educational technology company Instructure, the parent organization behind the widely used Canvas learning management system, has confirmed that it reached an agreement with a cybercrime extortion group following a large scale network breach. The company stated that it negotiated with an unauthorized actor responsible for stealing sensitive information from its systems, citing concerns about the potential public release of the data. The decision comes after the attackers threatened to leak data connected to thousands of educational institutions globally, creating significant pressure on the company to contain the incident and protect affected customers from exposure.
Instructure reported that the agreement covers all impacted customers and that the stolen data has been returned, accompanied by digital confirmation of deletion from the attackers. The company also stated it was informed that no additional extortion attempts would be made against its customers as a result of the breach. While acknowledging that complete certainty is not possible when dealing with cybercriminal groups, Instructure explained that it took the decision in order to provide additional reassurance to institutions using its platform. The company is also working with external cybersecurity specialists to support forensic investigations, improve its security infrastructure, and conduct a detailed review of the compromised data to understand the full scope of the incident and reinforce system defenses.
The breach has been attributed to the ShinyHunters extortion group, which carried out a coordinated attack against Canvas late last month, resulting in the theft of approximately 3.65TB of data. The incident is believed to have impacted nearly 9000 organizations, including schools and universities that rely on Canvas for digital learning management. According to reports, the attackers initially gained access by exploiting an unspecified vulnerability related to support ticket functionality within the Free for Teacher environment. This access enabled them to extract approximately 275 million records containing usernames, email addresses, course titles, enrollment details, and internal messages. Instructure has clarified that core academic materials such as course content, submissions, and user credentials were not part of the compromised dataset.
A second phase of the attack was detected on May 7, 2026, when unauthorized activity linked to the same breach involved defacing Canvas login portals at around 330 institutions. The attackers also issued extortion messages and imposed a deadline of May 12, 2026, demanding ransom negotiations or threatening public data release. In response, Instructure temporarily suspended Free for Teacher accounts and implemented a series of containment measures, including revocation of privileged credentials, rotation of internal access keys, restriction of token generation processes, and deployment of additional security controls across affected systems. Security analysts have warned that the exposed data provides sufficient contextual information to enable highly targeted phishing campaigns against students, faculty members, parents, and administrative staff. Potential follow on attacks may involve impersonation of school administrators, IT support personnel, or financial aid offices, increasing the risk of credential theft and social engineering attempts across affected educational institutions.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
