The maker of Canvas software, used by thousands of schools and universities around the world, said Monday it has reached an agreement with hackers who recently breached its systems to return stolen data and destroy any copies.
ShinyHunters, a hacking group, claimed responsibility for the attack on Instructure, the Salt Lake City-based company that provides Canvas to about half of all colleges and universities in North America.
The hackers said they had access to the data of more than 275 million users at nearly 9,000 schools worldwide, including private conversations between students and teachers, as well as personally identifiable information such as names and email addresses. Canvas was shut down for several hours after Thursday’s cyber attack.
The deal, Instructure said declarationit included returning the stolen data and confirming that the data was destroyed by the hackers. Instructure added that it had been informed that none of its customers would face blackmail as a result of the theft.
“While there is never absolute certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers as much peace of mind as possible,” the company said.
Instructure did not say what it gave the hackers in return for the data. The company did not immediately respond to inquiries about the deal.
Canvas has more than 30 million active users worldwide, according to Instructure. The platform is used by teachers and students for course management and communication. Instructure said the data compromised in the hack included usernames, email addresses, course titles, enrollment information and messages.
ShinyHunters claimed responsibility for the attack Thursday in a report that appeared on the student website Canvas and was obtained by The New York Times. The group warned that an unspecified amount of data would be leaked on May 12 if it did not receive a response from Instructure. In its May 3 ransom note, the group threatened to leak “several billion private messages between students and teachers.”
Not much is known about ShinyHunters, believed to have been created around 2020. Her goal seems to be to get personal bests and sell them. One of its high-profile attacks was against Ticketmaster in 2024, when hackers said they stole the user information of more than 500 million customers.
Instructure said it first detected unauthorized activity at Canvas on April 29 and again on May 7. The company said it took Canvas offline to investigate the breach and also notified the FBI, the US Cybersecurity and Infrastructure Security Agency and other international law enforcement partners.
Instructure did not immediately respond to questions about whether any law enforcement agencies were involved in its dealings with the hackers. FBI does not recommend paying the ransom to hackers, saying it doesn’t guarantee data security and encourages attackers to target more victims.
