Loading...
Loading...
A massive breach of Instructure’s Canvas LMS by the ShinyHunters group disrupted finals at thousands of institutions and exposed hundreds of millions of student and staff records. Instructure reached a contested agreement with the attackers to return and purportedly delete data — details and any payment remain undisclosed — while restoring service and conducting forensic reviews. Reporting highlights systemic risks: weak teacher account protections, centralized cloud dependencies, and the moral hazard of paying extortionists. Universities face operational disruption, legal scrutiny, and long-term privacy harms, prompting calls for stronger vendor security, multi-factor authentication, transparency, and sector-wide incident preparedness.
The Canvas breach affects millions of students and staff and highlights systemic risks in centralized edtech platforms. Tech professionals must reassess vendor risk, authentication controls, and incident-response plans for large cloud SaaS used in education.
Dossier last updated: 2026-05-13 08:42:15
Instructure, operator of the Canvas learning platform, said it reached an agreement with hackers who breached the service and returned the stolen data, claiming to have provided digital proof the copies were destroyed. The company did not disclose whether a ransom was paid or identify the attackers; the hacking group ShinyHunters had claimed responsibility and threatened to leak data on nearly 9,000 schools and 275 million individuals. Instructure said the breach exposed names, email addresses, student ID numbers and messages but found no evidence of passwords, dates of birth, government IDs or financial data being compromised. The company is conducting forensic analysis, hardening systems and reviewing affected data as schools scrambled during the outage.
Instructure, the parent company of the Canvas learning platform, said it reached an agreement with hackers who stole data in a breach that disrupted finals at many schools and threatened to leak information on 275 million people. The company did not disclose if a ransom was paid or identify the attacker, though the ShinyHunters group claimed responsibility and had set extortion deadlines. Instructure says the stolen data was returned and it received digital “shred logs” indicating copies were destroyed, while acknowledging there is no definitive way to verify deletion. The company is conducting forensic analysis, hardening systems, and reviewing the data involved; compromised items reportedly included names, emails, student IDs and messages.
Canvas (Instructure) reportedly struck a “settlement” with hackers after a breach that exposed student usernames, emails, course and enrollment data, and messages across more than 9,000 institutions — a move the author frames as tantamount to paying a ransom. The platform’s incident page says hackers agreed to return data, delete logs, and not extort customers, but experts warn such deals rarely solve root causes and may encourage repeat attacks or resale of access. The piece cites rising ransomware trends (NordStellar) and high payment rates (Arctic Wolf), urging investment in preventive security, privacy-first practices, and professional incident response instead of paying attackers. It highlights risks to education and smaller organizations.
Instructure, maker of the Canvas learning platform, has confirmed it reached an agreement with the Shiny Hunters extortion group after a breach that disrupted services at roughly 9,000 institutions and exposed 3.5TB of student and staff data. The company says the hackers returned the data, provided digital confirmation of destruction and agreed not to extort customers; it did not detail terms or explicitly confirm a ransom payment. The incident, discovered on April 29, interrupted exams and forced universities to postpone assessments. Security experts warn paying criminals can encourage more attacks and offers no guarantee of deletion, while Instructure defends the move as protecting users and minimizing further harm.
Lily Hay Newman / Wired : Foxconn says some of its North American factories suffered a cyberattack in recent days; ransomware group Nitrogen claims it stole 8TB of data — Famous for helping build Apple's iPhones, Foxconn just suffered another cyberattack, highlighting the perils of warehousing some of the world's most valuable data.
Instructure has paid a ransom to the ShinyHunters cybercriminal group after the gang twice breached its Canvas learning management system, recovering data for roughly 275 million users across more than 8,800 institutions. The company said it obtained shred logs and assurances no customers will be extorted, and that individual schools need not negotiate with the attackers. Canvas outages disrupted students and faculty in the run-up to finals; stolen data reportedly included names, email addresses, student IDs and private messages. Instructure declined to disclose the payment amount and said it’s working with forensic vendors to harden systems and review the incident. The attack follows ShinyHunters’ other high-profile university breaches.
Instructure, operator of the Canvas learning management system used by universities and schools, paid a ransom to hackers after a May 2026 breach disrupted access to Canvas and exposed source code and data. The company confirmed the payment in an incident update as reports — including the New York Times — detailed negotiations with the criminals who had encrypted systems and threatened to leak stolen materials. Instructure said it worked with law enforcement and cybersecurity experts while restoring services and resetting credentials; officials warned of potential data exposure. The episode underscores growing ransomware risks to education tech platforms and the operational and reputational stakes for widely used SaaS providers.
Canvas的母公司与近期数据泄露事件背后的黑客组织达成协议
Instructure, maker of the Canvas learning platform, struck an agreement with the Shiny Hunters extortion group after a breach that disrupted service for about 9,000 institutions and threatened to publish 3.5TB of student and staff data. Instructure says the attackers returned the data, provided digital confirmation of destruction and promised not to extort customers; the company did not disclose payment terms. The April 29 breach interrupted exams and forced some universities to postpone assessments, prompting visible public updates from Instructure. Law enforcement warns paying criminals can encourage further attacks and offers no guarantee data is truly deleted, and previous incidents show threat actors sometimes lie after receiving ransoms.
Qasim Nauman / New York Times : Instructure reached a deal with hackers who breached its Canvas platform to return stolen data and destroy copies, without disclosing what it gave in exchange — Instructure, which provides Canvas software to thousands of schools and universities around the world, did not say what it had given …
教育工具Canvas的开发商在遭遇黑客攻击后发表道歉声明
ShinyHunters set a deadline for Instructure to pay a ransom or have stolen data leaked, but as of the deadline Instructure's data has not appeared on the leak site and the company issued only a terse press statement declining to comment. The author questions whether Instructure paid and what a payout for a breach of this scale might be, noting that class-action lawsuits are being prepared and could force greater disclosure. This matters because Instructure serves education technology customers, making any breach or hush payment significant for privacy, legal exposure, and sector trust. Ongoing litigation and transparency choices will shape fallout for the edtech and cybersecurity communities.
Canvas, the learning-management platform by Instructure, was restored after a breach traced to compromised 'free-for-teacher' accounts, likely created with weak protections. Attackers used these teacher accounts to escalate access and exfiltrate data, prompting a full service outage and emergency remediation. Instructure has been reverting affected credentials, forcing password resets, and restoring services while investigating the scope of stolen data. The incident highlights risks from low-friction account sign-ups and insufficient access controls in edtech, underscoring the need for stronger authentication, monitoring, and vendor security practices across education platforms. Customers and institutions are being advised to review account provisioning and apply multi-factor authentication.
Canvas operator Instructure temporarily took the platform offline after a cyberattack by the ShinyHunters ransomware group disrupted access during US final exams; the company restored service by Friday morning but had earlier identified unauthorized activity and a related data breach disclosed a week prior. ShinyHunters claimed it stole data tied to 275 million people across 8,800 schools and posted a ransom demand on Canvas login pages, prompting universities — including the University of Illinois and University of Massachusetts Dartmouth — to postpone or reschedule finals. Instructure says stolen data included names, emails, student IDs and messages, but not passwords or financial or government identifiers. The incident underscores persistent risks to education tech and large-scale clouded-data supply-chain exposure.
Canvas, the widely used US online education platform developed by Instructure, suffered a cyberattack on May 7 that briefly disrupted service after unauthorized parties altered platform pages. Instructure took the platform offline as a precaution, began an investigation and restored most user access the evening of May 7; by May 8 the company said Canvas was fully back online. Instructure has retained external experts and says it is working to minimize impacts from the incident. The outage affected institutions across the US, underscoring risks to digital education infrastructure and the importance of incident response and forensic review.
Canvas operator Instructure temporarily took the learning platform offline after detecting unauthorized activity tied to a threat actor that had earlier accessed user data; service was restored by Friday. The attacker — ransomware group ShinyHunters — claimed responsibility and posted a ransom demand during peak final-exam periods, saying it had data on 275 million people across 8,800 schools. Instructure said exposed data included names, emails, student IDs and messages but not passwords, birthdates, government IDs or financial information. The outage forced multiple universities to postpone or reschedule finals, underscoring persistent cybersecurity risks for edtech and the wider fallout when cloud education platforms are disrupted.
Canvas parent company Instructure was forced to take its LMS offline after the cybercrime group ShinyHunters defaced Canvas login pages with a ransom demand and claimed data from 275 million students and staff across nearly 9,000 institutions. Instructure had already acknowledged a breach earlier in the week and said stolen data included names, emails, student IDs and internal messages but not passwords or financial data. The extortion post urged schools to negotiate individual ransoms; some universities reportedly contacted the attackers. The outage hit during finals, disrupting classes and prompting criticism of Instructure for labeling the outage as "scheduled maintenance." The incident underscores risks to education tech and the impact of ransomware/extortion on critical cloud services.
Instructure’s Canvas platform was breached by the ShinyHunters ransomware group, locking students out and reportedly exfiltrating messages and data for more than 275 million people. Instructure confirmed stolen personal information including names, emails, student IDs and user messages, and said the service had been breached twice, once on April 29 and again on Thursday. The outage disrupted finals, grading and campus communications, underscoring risks from centralizing education data in a single cloud provider. Digital librarian Ian Linkletter called it “the biggest student data privacy disaster in history,” warning the scale and sensitivity of leaked messages enable targeted phishing and long-term privacy harms. The incident spotlights systemic EdTech security and governance failures.
Brian Krebs / Krebs on Security : Instructure disables its Canvas edtech platform, used by thousands of schools and universities, amid a data extortion attack claimed by ShinyHunters — An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework …
Canvas owner Instructure took its LMS offline after the cybercrime group ShinyHunters defaced the service’s login page and demanded ransom over a claimed breach impacting data from up to 275 million students and staff across nearly 9,000 institutions. Instructure had earlier acknowledged a breach and said stolen data may include names, emails, student IDs and messages, but not passwords or financial data; it initially reported the incident contained and Canvas operational. The defacement and extortion forced schools into disruption during finals, prompted some universities to consider paying, and raised criticism over Instructure’s handling and status messaging while investigators and security firms probe the ongoing extortion and potential data exposure.