Canvas Parent Instructure Reaches Agreement With ShinyHunters After Cyberattack

Instructure, the company behind the widely used Canvas learning-management platform, said it had reached an agreement with the hacking group ShinyHunters following a cyberattack that disrupted schools during finals season. The company reported that stolen data had been returned and that it received digital confirmation, described as shred logs, that remaining copies were destroyed.

The Details

Canvas serves as a critical technology infrastructure for educational institutions, handling coursework, exam administration, and grade tracking for both K-12 schools and universities. The breach occurred during finals season, a period of heightened academic pressure, and caused major disruption for students and faculty who rely on the platform for end-of-term activities.

According to reporting from the Associated Press, the hacking group ShinyHunters had threatened to release data from nearly 9,000 schools and 275 million individuals. The scale of the threatened leak underscored the breadth of the platform's user base and the potential scope of the incident.

In a statement quoted by the Associated Press, Instructure said, "The data was returned to us. We received digital confirmation of data destruction (shred logs)." This indicated that the hacking group had not only returned the information but had also provided evidence that other copies had been deleted.

Reuters also reported that Canvas' parent company had reached a deal with the hacking group behind the recent breach, characterizing the arrangement as an effort to secure stolen student and school data.

CyberScoop separately relayed an additional statement from Instructure offering further assurance to users. "We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise," the company said, according to CyberScoop. This statement was part of the company's broader communications after the agreement was reached.

Despite these assurances, significant questions remain. The exact terms of the agreement, including whether any payment was exchanged and in what amount, were not disclosed by the company. Additionally, whether the stolen data was truly deleted cannot be independently verified, even with the shred-log evidence described by Instructure. The company itself acknowledged this uncertainty in its updates, the Associated Press reported.

Context

The incident occurred against the backdrop of increasing cyberattacks targeting the education sector. ShinyHunters, the group identified in this incident, has been linked in other coverage to multiple education-sector breaches and has employed extortion threats tied to leaked data, according to reporting from Inside Higher Ed.

The timing of the breach during finals season amplified its impact. Educational institutions were already managing end-of-term deadlines when the attack disrupted their core learning-management system, adding pressure to an already demanding period for students and faculty. Canvas is widely used by K-12 schools and universities, so the disruption extended across a broad range of institutions and grade levels.

What's Next

Independent verification that all stolen copies of the data were fully erased remains unavailable. Instructure has not disclosed additional details about the agreement with ShinyHunters, and it is unclear whether further security measures or investigations will be announced. The company has emphasized customer assurance in its public statements, but without independent confirmation of the data's complete destruction or disclosure of the agreement's terms, substantial questions remain about whether the resolution is fully comprehensive.