Instructure pays ransom to Canvas hackers

Instructure has paid a ransom to the cybercriminal group ShinyHunters following two breaches of its Canvas learning management system in less than two weeks, affecting approximately 275 million users across over 8,800 institutions.

The company, which supplies LMS services to 41 percent of North American higher education institutions, confirmed in an update on May 11 that it paid an undisclosed amount to the hackers, who had threatened to leak user data if demands were not met by May 12. The ransom deal resulted in the return of compromised data and confirmation of data destruction, according to Instructure.

ShinyHunters claimed responsibility for the breaches, which disrupted Canvas services and threatened to leak personal information, including names, email addresses, student IDs, and private messages among users. The group had previously linked these attacks to breaches at universities such as Harvard, Princeton, and the University of Pennsylvania.

Why It Matters

This incident underscores the ongoing cybersecurity risks facing educational technology providers, especially those managing sensitive student and institutional data. The decision to pay the ransom raises questions about the effectiveness of current cybersecurity defenses and the potential encouragement of ransom-based extortion.

For students, faculty, and administrators, the breach highlights vulnerabilities in data security protocols, potentially exposing personal and academic information. The incident may also influence future policies on cybersecurity incident response and ransom negotiations in the education sector.

Background

Over the past week and a half, Canvas experienced two cyberattacks by ShinyHunters, a hacking group known for targeting high-profile institutions and demanding ransom payments. The first breach led to service disruptions and threatened data leaks, prompting some universities to postpone exams. The hackers issued demands with a deadline of May 12, warning of data leaks and digital issues if ignored.

Instructure initially responded by addressing security concerns and restoring services by May 5. However, the hackers resumed their attacks later in the week, leading to renewed disruptions and public messages from the group. The company’s decision to pay the ransom came just before the deadline, aiming to prevent data leaks and further damage.

“Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates.”

— Instructure CEO Steve Daly

“All Canvas environments are available.”

— Instructure statement

What Remains Unclear

It remains unclear how much the ransom was for, as Instructure has not disclosed financial details. It is also uncertain whether the data leak has been entirely prevented or if residual vulnerabilities remain. The long-term impact on user trust and future security policies is still developing.

What’s Next

Instructure is continuing its forensic investigation and working with security vendors to strengthen its defenses. The company plans to review its incident response strategies and improve communication protocols. Further updates are expected as the investigation progresses and additional security measures are implemented.

Key Questions

Did Instructure confirm the amount paid in ransom?

No, the company has not disclosed the ransom amount paid to ShinyHunters.

Are all Canvas users now secure after the ransom payment?

While Instructure reports that all environments are now available, the full security status and potential residual vulnerabilities remain under review.

Will the hackers leak the data they recovered?

Instructure claims to have received confirmation of data destruction, but the risk of leaks cannot be entirely ruled out until further assessments are completed.

Why did Instructure decide to pay the ransom?

The company stated that paying the ransom was intended to prevent data leaks and further disruptions, especially given the threat of sensitive user information being publicly released.