Instructure Pays Ransom to ShinyHunters After Canvas Breach Affecting 9,000 Organizations

TL;DR Instructure reached a ransom agreement with the ShinyHunters extortion group after a breach of its Canvas learning platform stole 3.65TB of data from nearly 9,000 institutions. The attackers exfiltrated approximately 275 million records containing usernames, email addresses, course names, and enrollment information. An unspecified vulnerability in Free-for-Teacher support tickets enabled initial access, followed by a second intrusion wave in May 2026 that defaced Canvas login portals at 330 institutions.

What happened

On an unspecified date in late April 2026, attackers exploited a vulnerability in Instructure's Free-for-Teacher environment to gain initial access to the company's network. The vulnerability related to support tickets, though the company has not disclosed its specific nature.

Once inside, the attackers exfiltrated approximately 275 million records from Canvas, the learning management system serving schools and universities across the MENA region and globally. The stolen data included usernames, email addresses, course names, enrollment information, and messages from nearly 9,000 affected organizations.

On May 7, 2026, a second wave of unauthorized activity emerged. Attackers defaced Canvas login portals at approximately 330 institutions with extortion messages, setting a May 12, 2026 deadline for ransom negotiation. The threat was to publish the stolen data if Instructure did not comply.

By May 12, 2026, Instructure announced it had "reached an agreement with the unauthorized actor involved in this incident." The company stated that the agreement covers all impacted customers, that the pilfered data was returned to it, and that it received digital confirmation of data destruction. Instructure also said it was informed that customers would not be separately extorted.

Why it matters

The exfiltrated dataset creates operational risk for educational institutions and their communities. The combination of usernames, email addresses, course information, and enrollment data provides sufficient context for targeted phishing campaigns against staff, students, and parents. Threat actors can impersonate school administrators, IT support personnel, or financial aid offices in follow-on attacks.

For defenders in affected institutions, the breach indicates the need for immediate advisory communications to users about the risk of phishing and social engineering. The compromise of support ticket systems also signals that administrative interfaces require the same security rigor as end-user-facing systems.

Instructure's decision to pay ransom rather than allow the data to be published sets a precedent within the educational technology sector and reflects the organization's assessment that the cost of ransom was lower than the cost of mass notification, regulatory fines, and reputational damage across 9,000 customer organizations. However, the company acknowledged that "there is never complete certainty when dealing with cyber criminals," meaning the destruction of data cannot be verified independently.

Affected systems and CVEs

Canvas (learning management platform)
Free-for-Teacher (support ticket subsystem)

No CVE assigned at the time of publication. The vulnerability in Free-for-Teacher support tickets has not been publicly documented or assigned an identifier.

What to do

Issue phishing advisories to staff, students, and parents at affected institutions immediately.
Direct communications should alert users to the risk of impersonation attacks targeting administrators, IT support, and financial aid offices.
If your organization uses Free-for-Teacher, verify that Instructure has restored your account access after the temporary shutdown and monitor for suspicious activity on login portals.
Review access logs for the period before May 7, 2026 to identify any unauthorized activity tied to support ticket endpoints.
Rotate credentials for any personnel with administrative access to Canvas or support systems.
Monitor for credential stuffing and phishing campaigns leveraging the exfiltrated usernames and email addresses.

Open questions

What is the specific nature of the vulnerability in Free-for-Teacher support tickets, and has Instructure patched it.
How much ransom did Instructure pay to ShinyHunters.
Can the destruction of 3.65TB of data be independently verified, or is Instructure relying solely on the attackers' assurances.
Which "expert vendors" is Instructure working with on forensic analysis, and will findings be disclosed.
What was the exact timeline between initial breach and the May 7, 2026 detection of the second wave of unauthorized activity.
Have any of the 275 million records appeared on underground markets or public databases since the agreement.