Instructure, the parent company behind the widely used Canvas learning platform, has confirmed reaching an agreement with a cybercrime extortion group following a major data breach that affected thousands of educational institutions.
The Utah-based educational technology company disclosed that it decided to negotiate with the attackers due to concerns about the possible public release of stolen information belonging to schools and universities worldwide.
Instructure Confirms Agreement With Attackers
In a statement released Monday, Instructure said it had reached an agreement with the unauthorized threat actors involved in the incident in an effort to prevent the leaked data from being published online.
According to the company, the agreement applies to all impacted customers. Instructure also claimed the stolen data was returned and that the attackers provided digital confirmation that the information had been deleted.
The company further stated it was informed that affected schools and universities would not face separate extortion attempts linked to the breach.
While acknowledging the uncertainty of dealing with cybercriminals, Instructure said it believed taking every possible step to protect customers was necessary under the circumstances.
ShinyHunters Linked to Massive Canvas Breach
The attack has been attributed to the notorious cyber extortion group ShinyHunters, which reportedly targeted Canvas late last month.
Canvas is one of the most widely used web-based learning management systems in the education sector, supporting schools, colleges, and universities globally.
Researchers say the attackers stole approximately 3.65TB of data during the intrusion, impacting nearly 9,000 organizations.
Although the breach initially appeared contained, a second wave of malicious activity emerged on May 7, 2026. During this phase, attackers defaced Canvas login pages across roughly 330 institutions with extortion messages demanding payment before a May 12 deadline.
Attack Exploited Free-for-Teacher Environment
According to Instructure, the attackers gained initial access by exploiting a vulnerability connected to support tickets within the company’s Free-for-Teacher environment.
The breach reportedly exposed around 275 million records, including:
- Usernames
- Email addresses
- Course names
- Enrollment information
- User messages
However, Instructure emphasized that sensitive elements such as course submissions, credentials, and educational content were not compromised.
Following the incident, the company temporarily disabled Free-for-Teacher accounts while security investigations continue.
Security Measures Implemented After the Breach
In response to the attack, Instructure said it has taken multiple steps to secure affected systems, including:
- Revoking privileged credentials and access tokens
- Rotating internal encryption keys
- Restricting token creation pathways
- Deploying additional security controls
- Conducting forensic investigations with external cybersecurity experts
The company also noted it is reviewing the full scope of the compromised data and working to strengthen its overall cybersecurity posture.
Experts Warn of Increased Phishing Risks
Cybersecurity firm Halcyon warned that the stolen information could fuel highly targeted phishing attacks against students, parents, faculty, and school administrators.
Researchers explained that attackers may use the leaked data to impersonate:
- School IT departments
- Financial aid offices
- University administrators
- Technical support teams
Security experts are urging educational institutions affected by the breach to immediately issue phishing alerts and educate users about potential scams related to the incident.
Growing Cybersecurity Concerns in Education Sector
The attack on Canvas highlights the increasing cybersecurity threats facing educational institutions, which often manage massive amounts of personal and academic data while operating with limited security resources.
As ransomware and extortion groups continue targeting schools and universities, experts warn that educational platforms remain attractive targets due to the scale of user data they contain and the operational pressure institutions face during disruptions.
