Instructure Pays Ransom to ShinyHunters After Major Canvas Data Breach Affecting 9,000 Institutions Amid Congressional Oversight

In a critical incident within the education technology sector, Instructure, the developer of the widely utilized Canvas platform, has confirmed that it paid a ransom to the ShinyHunters cybercriminal group. This decision comes in the wake of multiple breaches that compromised sensitive information from approximately 9,000 educational institutions.

Late on Monday, Instructure announced its agreement with ShinyHunters, which included the return of stolen data and a digital confirmation of its destruction. The company reassured its customers that they would not face extortion as a result of this incident, stating, “This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”

Timeline of the Breach

The ShinyHunters group executed two breaches of the Canvas platform within a two-week timeframe. The initial breach occurred on May 1, during which extensive data was reportedly stolen, including names, email addresses, student IDs, and communications between students and professors. A follow-up attack on May 7 involved defacing the platform with a ransom message, causing significant disruption for users. Consequently, millions of students and faculty were unable to access class materials just before final exams.

ShinyHunters claimed to have compromised data from around 9,000 Instructure customers and threatened to leak this information unless ransoms were paid by individual institutions by May 12.

Congressional Oversight and Investigation

The decision to pay the ransom coincided with an announcement from the House Homeland Security Committee, which indicated plans to investigate the cyberattack. Representative Andrew Garbarino (R-NY), the committee chairman, sent a letter to Instructure’s CEO requesting a briefing on the incident before May 21. He expressed concern over the implications of the breach for students and educational institutions, emphasizing the need for transparency regarding how educational technology companies manage cybersecurity risks.

Garbarino’s letter outlined several key areas for the briefing, including the circumstances surrounding both breaches, the nature and volume of data accessed, and the adequacy of Instructure’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency (CISA). He noted discrepancies between Instructure’s public statements and the scale of the breach as claimed by the attackers.

Implications for Cybersecurity in Education

The repeated breaches within such a short period raise critical questions about Instructure’s incident response capabilities and its obligations to protect the data of educational institutions and individuals. Garbarino highlighted the systemic vulnerabilities that this incident exposes, stating, “The scale and timing of the Instructure breach, and the demonstrated inability of a major educational technology vendor to contain a threat actor following an initial intrusion, are precisely the kind of systemic vulnerabilities this Committee has a responsibility to examine.”

Instructure’s CEO, Steve Daly, issued an apology to customers over the weekend, asserting that Canvas is currently safe to use. He also announced that CrowdStrike and another cybersecurity firm have been engaged to conduct a forensic analysis of the incident and enhance security measures.

FBI Involvement and Student Guidance

The FBI has acknowledged the disruption caused by the breach and has advised students not to respond to any communications from the hackers demanding payment. An FBI spokesperson clarified that receiving messages from ShinyHunters does not necessarily indicate that personal information has been compromised. The agency recommended that individuals await formal guidance from their educational institutions regarding the specifics of the incident and any affected data.

As of Monday, the ShinyHunters leak site was taken offline, suggesting possible action from federal authorities targeting the group. This breach is part of a broader trend, as ShinyHunters has been linked to previous attacks on high-profile companies, including Ticketmaster and AT&T, as well as recent incidents involving educational publishers like McGraw Hill.

For further details on this incident, refer to the original reporting source: cyberwarriorsmiddleeast.com.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-05-13 08:20:00 • By the Editorial Desk