Instructure Reaches Agreement With ShinyHunters After Massive Education Breach

Instructure says data stolen during the cyberattack affecting its Canvas learning platform has been returned and destroyed following an agreement with the unauthorized actor tied to the incident. The company also acknowledged communication gaps after schools experienced outages and operational disruption connected to the breach.

The attack, later claimed by the extortion group ShinyHunters, affected systems used by thousands of schools and universities worldwide.

Instructure said course content, submissions, and credentials were not compromised, though exposed information included usernames, email addresses, enrollment data, and messages exchanged through the platform.

Why It Matters: Canvas sits inside the daily operations of thousands of schools and universities. When a provider handling classroom communication and student data experiences a breach, institutions can face outages, exposed records, and immediate dependence on the vendor’s incident response and recovery efforts.

• Instructure Said the Stolen Data Was Returned: The company stated it reached an agreement with ShinyHunters and received digital confirmation that the data had been destroyed through what it described as “shred logs.” Instructure also said affected institutions would not face separate extortion attempts tied to the breach, while noting there is no way to guarantee outcomes involving cybercriminals.

• The Investigation Clarified What Information Was Accessed: Instructure said the exposed information included usernames, email addresses, course names, enrollment details, and messages exchanged through the platform. The company maintained that course content, submissions, and account credentials were not compromised. Claims previously attributed to ShinyHunters referenced hundreds of millions of records and billions of messages, though those figures remain unverified.

• Schools Continued Managing Operational Disruption After the Incident: The attack affected parts of the Canvas environment used by K-12 districts and universities in multiple countries. Some institutions adjusted deadlines and exam schedules after outages interrupted access to classroom systems. Instructure also temporarily disabled portions of its Free for Teacher environment after identifying a vulnerability connected to support ticket functionality.

• Instructure Addressed Criticism Over Customer Communication: CEO Steve Daly apologized to customers and acknowledged the company did not provide enough updates while the investigation was underway. Instructure said it has since launched a dedicated incident update page and plans to release additional findings from its forensic review.

• Law Enforcement and Security Vendors Became Part of the Response: Federal authorities assisted organizations affected by the breach while Instructure worked with outside forensic and cybersecurity firms during the investigation. The company said external security teams are supporting remediation efforts, reviewing the scope of the incident, and helping strengthen affected systems following the attack.

Go Deeper -> Security Incident Update & FAQs – Instructure

Data stolen in Canvas hack that hit thousands of schools has been returned, company says – CNN