Instructure, Maker of Canvas LMS, Struck a Deal with Hackers to Return Data

IBL News | New York

Instructure, the maker of Canvas LMS, used by half of all colleges and universities in North America, struck a deal on Monday with the hacking criminal group ShinyHunters to return the stolen data and destroy any copies, although the company didn’t say what it had given in exchange.

The company announced made the announcement this way:

“Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:

• The data was returned to us.
• We received digital confirmation of data destruction (shred logs).
• We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
• This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.

While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible. We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses.”

We are currently organizing a webinar with Instructure leadership to detail information about the cyber attack and our activities to harden the system. We currently believe it will be on May 13 and will be done in multiple time zones.”

Canvas has more than 30 million active users worldwide, according to Instructure. The platform is used by teachers and students for coursework management and communications. Instructure said the data compromised in the hack included usernames, email addresses, course names, enrollment information, and messages.

ShinyHunters warned that it would leak an unspecified amount of data on May 12 if it did not receive a response from Instructure. In its May 3 ransom note, the group had threatened to leak “several billions of private messages among students and teachers.”

Not much is known about ShinyHunters, which is believed to have been formed around 2020. Its goal appears to be obtaining and selling personal records. One of its high-profile attacks was against Ticketmaster in 2024, when the hackers said they had stolen the user information of more than 500 million customers.

Instructure did not immediately respond to questions about whether any law enforcement agencies were involved in its dealings with the hackers. The F.B.I. advises against paying ransom to hackers, saying it does not guarantee data security and encourages attackers to target more victims.