Instructure (Canvas LMS) Reaches Agreement with ShinyHunters to Suppress Stolen Data – May 2026

Lifecycle changed

active → monitoring

Status changed to monitoring

Auto-transitioned: no updates for 6 hours

Lifecycle changed

developing → active

Status changed to active

remediation: existing active criteria met

Merged with: ShinyHunters Ransomware Attack on Instructure Canvas Disrupts ~9,000 Universities & Schools – May 2026

Event "ShinyHunters Ransomware Attack on Instructure Canvas Disrupts ~9,000 Universities & Schools – May 2026" (slug: shinyhunters-ransomware-attack-on-instructure-canvas-disrupts-9-000-universities) merged into this event.

Merged with: ShinyHunters Breaches Instructure Canvas LMS – Data Theft & Portal Defacement – April–May 2026

Event "ShinyHunters Breaches Instructure Canvas LMS – Data Theft & Portal Defacement – April–May 2026" (slug: shinyhunters-breaches-instructure-canvas-lms-data-theft-portal-defacement-april-) merged into this event.

Merged with: Canvas/Instructure Data Breach – Hackers Strike Deal to Delete Stolen Student Data – May 2026

Event "Canvas/Instructure Data Breach – Hackers Strike Deal to Delete Stolen Student Data – May 2026" (slug: canvas-instructure-data-breach-hackers-strike-deal-to-delete-stolen-student-data) merged into this event.

Corroborating source

The U.S. House Committee on Homeland Security has called on Instructure executives to testify about two cyberattacks carried out by the ShinyHunters extortion group targeting the Canvas learning platform. The attacks resulted in the theft of student data and disrupted schools during final exam periods. The congressional inquiry marks an escalation in governmental scrutiny of the incident and its impact on educational institutions nationwide.

The U.S. House Committee on Homeland Security is calling on Instructure executives to testify about two cyberattacks by the ShinyHunters extortion group that targeted the company's Canvas platform, allowing threat actors to steal student data and disrupt schools during final exams.

Source: BleepingComputer (Trade Media) · View source

Initial Detection

Instructure, the parent company of the widely-used Canvas online learning platform, suffered a cyberattack that resulted in the theft of student and faculty data. The breach caused significant disruption, including delays to final examinations. Instructure subsequently reached an agreement with the threat actors to delete the stolen data, suggesting a ransomware or extortion-style negotiation.

Instructure, the parent company of Canvas, said in an online post that it 'reached an agreement with the unauthorized actor involved in this incident'. The hack caused chaos for students and faculty last week, delaying some final exams.

Source: The Guardian World (Mainstream Media) · View source

Corroborating source

Instructure, the company behind the Canvas learning management system, has confirmed it paid a ransom to the ShinyHunters extortion group following a data breach, with the company stating the agreement resulted in stolen data being 'returned' and digital confirmation of its destruction. The US Congress has announced an investigation into the incident. This represents an escalation of the previously reported 'agreement' between Instructure and ShinyHunters.

The company said its agreement with the hackers involved their data being "returned" to them and digital confirmation of data destruction.

Source: The Record (Cyber) (Trade Media) · View source

Status changed to developing

Auto-promoted: multiple corroborating sources

Corroborating source

Instructure, the company behind the Canvas learning management system, has confirmed it 'reached an agreement' with the ShinyHunters hacking group following a data breach that disrupted thousands of colleges and universities. The company reportedly paid the criminals to delete stolen student data. This BBC World coverage adds mainstream media corroboration to the incident previously reported by BleepingComputer.

The company behind Canvas says it has 'reached an agreement' with the hackers who disrupted thousands of colleges and universities.

Source: BBC World (Mainstream Media) · View source

Initial Detection

Instructure, the company behind the Canvas learning management system, has reportedly reached an 'agreement' with the ShinyHunters extortion group following a data breach to prevent the stolen data from being publicly leaked. ShinyHunters is a prolific cybercriminal group known for large-scale data theft and extortion. The incident raises significant concerns about the exposure of student and institutional data across the many educational organisations that rely on Canvas. The nature of the 'agreement' implies a ransom or non-disclosure arrangement, though full details have not been confirmed.

Instructure, the edtech giant behind the widely popular Canvas learning management system (LMS), has reached an 'agreement' with the ShinyHunters extortion group to prevent the data stolen in a recent breach from being leaked online.

Source: BleepingComputer (Trade Media) · View source

Initial Detection

Education technology company Instructure confirmed that threat actor ShinyHunters exploited cross-site scripting (XSS) vulnerabilities in its Canvas LMS platform to obtain authenticated admin sessions, exfiltrate over 3.6 terabytes of data, and deface login portals with extortion messages. The initial breach was discovered on 29 April 2026, followed by a second intrusion on 7 May 2026 to pressure Instructure into paying a ransom. ShinyHunters claim to have stolen 275 million records from approximately 8,809 educational organisations worldwide, with a ransom deadline of 12 May 2026. Canvas was taken offline briefly and restored on 9 May 2026, with Free-for-Teacher accounts suspended pending remediation.

ShinyHunters injected malicious JavaScript exploiting XSS bugs within user-generated content features, which gave them access to authenticated admin sessions and allowed them to perform privileged actions... ShinyHunters claim to have stolen 275 million records belonging to students, teachers, and other staff members.

Source: BleepingComputer (Trade Media) · View source

Initial Detection

The hacking group ShinyHunters carried out a ransomware and data extortion attack on Instructure, the company behind the widely used academic platform Canvas, beginning around Sunday 3 May 2026. The attack disrupted access to Canvas for an estimated 9,000 institutions across the US, Canada, and Australia during a critical end-of-year examination period, with ransom notes demanding bitcoin payment appearing on users' screens. Affected institutions included Mississippi State University, Penn State, University of British Columbia, University of Toronto, UCLA, University of Chicago, and Northwestern University, prompting widespread exam cancellations and postponements. By late Thursday 8 May, Instructure reported Canvas was 'available for most users', though outages persisted into Friday 9 May.

The hacking group ShinyHunters claimed responsibility for the attack, which caused the academic software Canvas used by thousands of schools and universities to go offline this week... The cyber attacks targeted universities and schools across the globe, affecting an estimated 9,000 institutions.

Source: BBC World (Mainstream Media) · View source