Instructure, the producer of the Canvas school information portal, announced on Tuesday it has reached a deal with hackers who breached its systems twice, stealing vast amounts of student and staff data and disrupting many schools using its software.
ShinyHunters, a cybercrime group focused on financial gain, claimed responsibility for the April 29 data breach, alleging the theft of information from 275 million students and staff, including personal details. They compromised Canvas, used by nearly 9,000 schools for managing student data and coursework.
The hackers breached the company again last week, defacing Canvas login pages on school websites to pressure payment of their ransom.
Instructure reported on its incident page on Monday that the hackers provided proof the stolen data was destroyed and assured Canvas customers would not face extortion as part of the agreement.
The company admitted negotiations with cybercriminals are never entirely certain but emphasized customers need not interact with the hackers.
Financial details of the agreement were not disclosed, and Instructure did not reveal how much was paid. Instructure spokesperson Brian Watkins did not respond to requests for comment or agreement details when contacted on Tuesday.
In a post on its leak site viewed by TechCrunch, ShinyHunters had threatened to leak the stolen data unless their demands were met.
By Tuesday, the listing was removed from ShinyHunters’ page, indicating a potential payment.
A ShinyHunters representative told TechCrunch: “The data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us.”
It remains unclear why Instructure paid the hackers, as governments like the United States long advise against paying cybercrime ransoms to prevent aiding criminals. Security experts argue victims shouldn’t trust hackers, as some have retained data despite claims of deletion for ongoing extortion.
The Instructure breach is akin to a cyberattack on PowerSchool, another school information software provider, experiencing a massive breach affecting 70 million people in 2024. PowerSchool paid a ransom for the stolen data, but some customers were later extorted by another group possessing data supposedly destroyed.
The FBI stated last week it was aware of the system disruption affecting schools across the U.S. The notice didn’t name Canvas but advised against responding to hackers’ demands.
The stolen Instructure data, reviewed by TechCrunch, includes student names, personal email addresses, and teacher-student messages with private information.
Instructure confirmed on its website the company endured two distinct breaches within a year involving different systems.
The company continues investigating the breach and verifying findings.
Instructure hasn’t clarified who manages its cybersecurity, if not CEO Steve Daly. When contacted by TechCrunch, Instructure didn’t comment on whether Daly plans to resign after the breaches.
Are you a Canvas administrator or school notified about the breach? Received an extortion demand from hackers? We want to hear from you. To contact this reporter securely, reach out via Signal username zackwhittaker.1337.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.