Read, Watch or Listen

United States – Instructure, the U.S.-based parent company of the Canvas learning management system, has confirmed it paid an undisclosed ransom to the cybercrime group ShinyHunters following a massive data breach that affected more than 8,000 educational institutions, including major universities and K-12 school districts. The breach, first detected in early May 2026, involved the exfiltration of about 3.65 terabytes of data from Canvas systems. The stolen records allegedly include personal information for an estimated 275 million users, such as names, email addresses, student identification numbers and private messages exchanged between students and teachers across the affected institutions. United States – ShinyHunters set a negotiation deadline of May 12, 2026, and after Instructure made the payment, the group provided digital confirmation and so‑called shred logs that it said show the exfiltrated data has been destroyed. Instructure stated that the agreement is intended to cover all affected customers, aiming to head off individual extortion attempts targeting specific schools or students. Legal experts warn that the incident and the ransom payment do not remove potential legal or regulatory obligations, and impacted schools are examining whether notification requirements under U.S. privacy laws still apply. The attack caused operational disruptions, forcing Canvas offline during final exam periods at several universities, where some students reported that their usual login pages were replaced with ransom notes from the hackers. Instructure plans to hold a customer webinar to outline the compromise and detail which categories of data were at risk.

Prepared by Jonathan Pierce and reviewed by editorial team.