- Instructure, the parent company of Canvas, reached a ransom agreement with the ShinyHunters cybercrime group to prevent the leak of stolen data.
- The attack, involving a vulnerability in the Free-for-Teacher platform, compromised 3.65TB of data and affected nearly 9,000 educational institutions.
- The breach exposed 275 million records, including usernames and email addresses, but reportedly did not compromise course content or credentials.
- In a second wave of attacks, the hackers defaced login portals at about 330 institutions with extortion messages before the May 12, 2026 deadline.
- The company has temporarily shut down Free-for-Teacher accounts and implemented new security controls in response to the incident.
In a dramatic escalation of digital extortion, the Instructure educational technology company confirmed on May 12, 2026, that it negotiated with hackers to prevent a massive data leak from its Canvas platform. The Utah-based firm reached an agreement with the decentralized ShinyHunters cybercrime crew, which had stolen sensitive information from thousands of schools and universities.
Consequently, Instructure made the controversial decision to pay a ransom, citing “concerns about the potential publication of data” in an official update. The company stated this agreement covers all impacted customers and that the stolen data was returned with confirmation of its destruction.
However, this crisis began late last month when attackers breached the network, siphoning 3.65TB of data. The incident impacted nearly 9,000 organizations by exploiting an unspecified vulnerability related to support tickets in the Free-for-Teacher environment.
This initial breach was assumed to be contained, but a second wave of unauthorized activity was detected on May 7, 2026. Attackers defaced Canvas login portals at roughly 330 institutions with extortion messages, setting a negotiation deadline.
The pilfered data consists of about 275 million records containing usernames, email addresses, and enrollment information. Instructure has emphasized that course content, submissions, and user credentials were not compromised in the attack.
Meanwhile, security firm Halcyon warned the exfiltrated data provides enough personal context for targeted phishing campaigns. Leaked records could be used to impersonate school administrators or financial aid offices in follow-on attacks, according to the company’s statement.
In response, Instructure has temporarily shut down Free-for-Teacher accounts and revoked privileged credentials. The company also rotated internal keys, restricted token creation pathways, and deployed additional security controls to improve its cybersecurity posture.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
