Canvas Hack: Why did Instructure Pay Ransom to ShinyHunters?

In a controversial decision in cybersecurity, edtech giant Instructure has paid ransom to ShinyHunters, after the threat group hacked into widely adopted educational software Canvas – twice. 

The popularity of the tool meant widespread disruption across thousands of institutions in the US, Canada, Australia and the UK with studies affected, exams postponed and sensitive student data stolen.

ShinyHunters claimed they stole over 3.5 terabytes of data, which includes personal identifying information such as names, email addresses, student ID numbers and messages between teachers and students. 

Instructure said the hackers agreed to return the data, prove they destroyed their copies and promise not to bother customers for money.

The company explains its reasoning on their incident update page: “We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. 

“We understand how unsettling situations like this can be, and protecting our community remains our top priority.

“With that responsibility in mind, Instructure reached an agreement with the unauthorised actor involved in this incident.”

The incident

On 29 April 2026, Instructure said it “detected unauthorised activity in Canvas,” after which the company moved to revoke third party access. 

The company then opened an investigation involving outside forensic experts. 

On 7 May 2026, things took a turn for the worse, when the Canvas login page displayed the following message: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some ‘security patches’”.

The gang mandated a deadline of 12 May before “everything is leaked”.

Instructure attributed the leak to be “tied to” the previous incident, after which Canvas was taken offline as a precaution. 

 “Out of caution, we temporarily took Canvas offline into maintenance mode to contain the activity, investigate and apply additional safeguards,” Instructure says. 

“We have since confirmed that the unauthorised actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. 

“This is the same issue that led to the unauthorised access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts.”

The company has since confirmed it has reached an agreement with the hackers, although the amount paid has not been made public. 

The fallout 

The incident update page on Instructure now carries a message from Steve Daly, CEO of Instructure, who has extended his apology for the incident. 

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us and we didn't deliver it. I'm sorry for that.”

Paying ransom, is against the general regulatory consensus, as it promotes the illegal business model of extortion groups. The factor of trust is also crucial, hackers can and have in the past lied about destroying the data, while keeping it even after payments were made. 

Instructure acknowledged this saying that there is always uncertainty when dealing with cyber criminals and reserved its decision as an effort to give its customers peace of mind. 

“It is not surprising to learn that despite regulatory pressure, security and risk leaders remain open to paying a ransom to recover their systems and protect data when considering that prolonged downtime can lead to unsustainable losses,” says Christy Wyatt, President and CEO at Absolute Security. 

“CISOs who build systems that can quickly restore continuity after disruptive attacks can avoid getting trapped in a cycle which will only grow alongside cyber criminals’ increasing use of AI-powered attacks.”

Steve adds: “Rebuilding trust takes time. We're going to earn it back through consistent action and honest communication. We're in this for you and your community.”