Instructure settles with hackers following massive student data theft

Pierluigi Paganini
May 13, 2026

Educational tech firm Instructure reached a deal with hackers after a major Canvas breach exposed data stolen from schools and universities.

Educational tech firm Instructure says it reached an agreement with the cybercrime group behind a major Canvas data theft, after attackers broke into its systems and threatened to publish stolen information from schools and universities.

Instructure is a U.S.-based educational technology company best known for developing Canvas, one of the world’s most widely used learning management systems (LMS). 

The U.S. firm confirmed a cybersecurity incident that exposed users’ personal information. Canvas is widely used by schools and universities to manage courses, assignments, and online learning, raising concerns about student and staff data security.

Instructure revoked privileged credentials and access tokens, deployed security patches, rotated some keys as a precaution, and increased monitoring across systems.

“Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused – Implemented increased monitoring across all platforms.” reads the initial Incident Report. “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”

So far, the exposed data likely includes user identifiers such as names, email addresses, student ID numbers, and some user messages.

Instructure did not share details about the attack, however, the ShinyHunters extortion group claimed responsibility for it and added the company to its Tor data leak site.

In a new update, the company said it reached an agreement with the cybercrime group due to the risk of a public leak and by the possible impact on customers. It added that the stolen data was returned and that it received confirmation it had been destroyed. Instructure also said it was told customers would not be separately extorted.

“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.” reads the company’s update. “With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:

• The data was returned to us.
• We received digital confirmation of data destruction (shred logs).
• We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
• This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”

The company is still working with cybersecurity experts to complete the forensic investigation, strengthen its systems, and review the impacted data. It also plans to share details about the root cause and lessons learned to help the education technology sector defend against similar attacks.

Instructure leadership is organizing a webinar, expected on May 13, across multiple time zones, to discuss the incident and security improvements.

ShinyHunters allegedly stole around 3.65TB of data from Canvas and affected nearly 9,000 organizations. A second wave of activity was later seen, including extortion messages on login pages at hundreds of institutions.

Attackers are said to have used a flaw in the Free-for-Teacher environment to get in and pull out large amounts of user data, including names, emails, course details, enrollment information, and messages. Instructure says core course content, submissions, and passwords were not exposed.

To limit further risk, the company temporarily shut down Free-For-Teacher accounts and tightened access controls. It also said it is working with security experts to review the incident and improve defenses.

The stolen data could still be useful for phishing and impersonation campaigns, especially against students, staff, parents, and support teams. For schools, the main concern now is that even without passwords or course files, this kind of data can still fuel convincing follow-up attacks.

The U.S. House Committee on Homeland Security has asked Instructure executives to testify about two cyberattacks linked to the ShinyHunters extortion group that compromised the Canvas platform, stole student data, and disrupted schools during final exams.

Chairman Andrew R. Garbarino said the committee is investigating the breach, which affects tens of millions of students, educators, and administrators who use Canvas.

The U.S. House Committee on Homeland Security is calling on Instructure executives to testify about two cyberattacks by the ShinyHunters extortion group that targeted the company’s Canvas platform, allowing threat actors to steal student data and disrupt schools during final exams.

In a letter sent Monday afternoon to Instructure CEO Steve Daly, Homeland Security Committee Chairman Andrew R. Garbarino said the committee is investigating the massive breach at Instructure that impacts millions of students.

“The Committee on Homeland Security (Committee) is investigating the concerning reports related to recent cybersecurity incidents affecting Instructure Holdings, Inc. and the tens of millions of students, educators, and administrators who rely on its Canvas learning management platform. Within the span of one week, the cybercriminal group known as ShinyHunters breached Instructure twice. The group reportedly first struck on May 1, accessing personal data belonging to students and faculty across thousands of institutions, and struck again on May 7, defacing Canvas login pages nationwide and posting ransom demands directly on students’screens.” reads the letter “With students at more than 8,000 institutions navigating final examinations and end of semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon