Canvas LMS cyberattack: Instructure strikes deal with hackers after 9,000 institutions hit

Share:
Audio Loading voice…
Canvas LMS cyberattack: Instructure strikes deal with hackers after 9,000 institutions hit

Synopsis

Instructure has struck a deal with the Shiny Hunters hacker group after they stole 3.5 terabytes of student data from Canvas LMS and disrupted 9,000 institutions across four countries. The company claims the data has been deleted and verified — but has not confirmed whether a ransom was paid, leaving a critical question unanswered.

Key Takeaways

Instructure , maker of Canvas LMS , reached an agreement with hackers after a cyberattack discovered on 29 April .
An estimated 9,000 institutions across the US , Canada , Australia , and the UK were affected.
The Shiny Hunters extortion group claimed responsibility and alleged theft of approximately 3.5 terabytes of data.
Compromised data reportedly includes names , email addresses , student ID numbers , and user messages ; no passwords or financial data were accessed, according to Instructure.
Instructure has not confirmed whether a ransom payment was made; the deal includes digital verification of data deletion.
The incident has raised concerns in India about the security of cloud-based student data systems, including those in the CBSE ecosystem.

Instructure, the US-headquartered company behind the widely used Canvas Learning Management System (LMS), has reached an agreement with the hackers responsible for a major April 2025 cyberattack that disrupted an estimated 9,000 institutions across the United States, Canada, Australia, and the United Kingdom. The breach, which involved the theft of approximately 3.5 terabytes of student and institutional data, has reignited global concerns about the security of digital education infrastructure.

What the Cyberattack Involved

The breach was discovered on 29 April and was claimed by the Shiny Hunters extortion group, a threat actor previously linked to multiple high-profile global cyber incidents. The attackers reportedly exfiltrated data including student names, email addresses, student ID numbers, and messages exchanged among users. The platform outage also caused widespread disruption, with reports of exam interruptions at affected institutions during the period of downtime.

Instructure confirmed it is investigating the incident and stated there is no evidence that passwords, dates of birth, government identification numbers, or financial information were accessed in the breach — a key assurance for the millions of students and faculty whose data resides on the platform.

Terms of the Agreement with Hackers

According to reports, Instructure reached an agreement under which the hackers claimed to have deleted the stolen data and provided digital verification of that deletion. The company said the deal also includes assurances that affected customers will not be targeted or extorted further. Instructure has not confirmed whether any financial transaction — such as a ransom payment — was part of the arrangement. Cyber security experts note that such agreements are frequently associated with ransom negotiations conducted through encrypted channels, even when companies decline to publicly acknowledge payments.

Implications for Education Data Security

The Canvas breach has drawn attention well beyond the institutions directly affected. In India, the incident has prompted questions about the resilience of systems managing sensitive student data — including exam records and answer sheets held in cloud environments such as those within the Central Board of Secondary Education (CBSE) ecosystem. Critics argue that as education platforms scale globally, the attack surface for ransomware and extortion groups expands proportionally. This is not an isolated incident: the Shiny Hunters group has a documented history of targeting large consumer and institutional platforms, making their involvement a signal of a systematic, not opportunistic, threat.

Notably, the Canvas attack affected both the data layer and the service availability layer simultaneously — a dual-vector compromise that compounded institutional disruption beyond what a simple data theft would have caused.

What Happens Next

Instructure has indicated it is continuing its investigation and has not yet disclosed a full timeline for notifying all affected users. Regulatory obligations under data protection frameworks in the US, UK, Canada, and Australia may compel further disclosures. Education institutions using Canvas LMS have been advised by cyber security professionals to audit access logs, enforce multi-factor authentication, and review data-sharing agreements with third-party platforms. The incident is likely to accelerate regulatory scrutiny of edtech vendors handling large volumes of student data globally.

Point of View

Instructure may have resolved its immediate crisis, but it has also signalled to the broader ransomware ecosystem that edtech platforms are negotiable targets. The company's refusal to confirm or deny a ransom payment is legally understandable but operationally damaging to institutional trust. More critically, the dual impact — simultaneous data theft and service outage — exposes a design vulnerability in centralised LMS architecture that no ransom deal can fix. Regulators in four countries now have both the evidence and the political pressure to demand mandatory minimum security standards for platforms handling student data at scale.
NationPress
18 Jul 2026

Frequently Asked Questions

What happened in the Canvas LMS cyberattack?
Hackers, later identified as the Shiny Hunters extortion group, breached Instructure's Canvas LMS in late April 2025, stealing approximately 3.5 terabytes of student and institutional data and causing service outages at around 9,000 institutions across the US, Canada, Australia, and the UK. The breach was discovered on 29 April.
What deal did Instructure reach with the hackers?
Instructure reached an agreement under which the hackers claimed to have deleted the stolen data and provided digital verification of that deletion. The company also received assurances that affected customers would not be further extorted. Instructure has not confirmed whether any ransom payment was involved.
What student data was compromised in the Canvas breach?
According to Instructure, the compromised data includes names, email addresses, student ID numbers, and messages exchanged among users. The company stated there is no evidence that passwords, dates of birth, government identification numbers, or financial information were accessed.
Who is the Shiny Hunters group behind the Canvas attack?
Shiny Hunters is a well-documented cyber extortion group with a history of targeting large consumer and institutional platforms globally. Their involvement in the Canvas breach is consistent with their pattern of stealing bulk data and threatening public release unless a ransom is paid.
Why does the Canvas cyberattack matter for Indian education institutions?
The breach has prompted scrutiny of cloud-based student data systems in India, including those within the CBSE ecosystem. It highlights that centralised digital platforms handling exam records, answer sheets, and student identities are potential targets for ransomware groups operating at scale.
Nation Press
The Trail

Connected Dots

Tracing the thread behind this story — newest first.

8 Dots
  1. Latest 2 months ago
  2. 2 months ago
  3. 7 months ago
  4. 7 months ago
  5. 7 months ago
  6. 9 months ago
  7. 1 year ago
  8. 1 year ago
Google Prefer NP
On Google