Read, Watch or Listen

United States-based Instructure, the developer of the widely used Canvas learning management system, has confirmed it paid a ransom to the cyber-extortion group ShinyHunters after a massive breach affecting education institutions worldwide. The company said it transferred the payment one day before a final deadline of May 12, 2026, following the theft of 3.6 terabytes of data linked to roughly 275 million users at more than 8,800 institutions, including major U.S. universities and K-12 school districts. Stolen information included student and staff names, email addresses, ID numbers and billions of private messages exchanged on the platform. The attackers escalated the incident on May 8 by defacing login portals at about 330 institutions, blocking access for students and faculty during critical final examination periods. United States investigators found that the hackers exploited a vulnerability in Canvas’s “Free-For-Teacher” account feature to bypass security boundaries and reach institutional data, prompting Instructure to disable that feature and deploy additional security patches. Chief executive Steve Daly said the company received digital confirmation of data destruction in the form of “shred logs” and assurances from ShinyHunters that it would not further extort Instructure’s customers, although the firm did not disclose the size of the ransom. The Federal Bureau of Investigation generally advises against paying ransoms, but Instructure said it proceeded with the settlement because of the immediate risks to student privacy and the disruption to academic operations during exams.

Prepared by Emily Rhodes and reviewed by editorial team.