"We reached an agreement with the unauthorized actor involved in this incident," Instructure said, citing "concerns about the potential publication of data." The Utah-based company took the controversial decision to pay a ransom after an extortion crew threatened to publish a 3.65TB haul stolen from its Canvas learning-management system.
Instructure's ransom agreement and what the company says it secured
Instructure disclosed that the agreement with the attackers covers all impacted customers and that the pilfered data was returned, accompanied by digital confirmation of data destruction. The company said it was informed that "none of the company's customers will be separately extorted as a result of the hack." Instructure acknowledged the choice to pay was made to "give customers additional peace of mind, to the extent possible," while noting "there is never complete certainty when dealing with cyber criminals."
How the ShinyHunters crew gained access
Instructure tied the incident to the ShinyHunters extortion group, describing it as a decentralized cybercrime extortion group. The attackers are said to have weaponized an unspecified vulnerability "regarding support tickets" in Instructure's Free-For-Teacher environment to obtain initial access. That vector reportedly allowed the actors to siphon large volumes of data from the platform.
Scale of the theft: 3.65TB, 275 million records, and nearly 9,000 organizations
The breach resulted in the theft of approximately 3.65TB of data and impacted nearly 9,000 organizations. Instructure said roughly 275 million records were taken, including usernames, email addresses, course names, enrollment information, and messages. The company emphasized that course content, submissions, and credentials were not compromised.
Second wave, defacements, and the May 12 deadline
Although Instructure initially believed the breach had been contained, a second wave of unauthorized activity tied to the same incident was detected on May 7, 2026. That activity defaced Canvas login portals at roughly 330 institutions and included extortion messages that set a negotiation deadline of May 12, 2026 — a timeline the company cited in its public update as part of the reason it reached an agreement with the actors.
Technical mitigations Instructure says it has taken
In response to the incident, Instructure temporarily shut down Free-For-Teacher accounts. The company said it revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token-creation pathways, and deployed additional security controls. Instructure also said it is working with "expert vendors" to support forensic analysis, improve cybersecurity posture, and conduct a comprehensive review of the data involved.
How students, institutions, and security teams are being urged to act
- Students and parents: Halcyon warned that "the exfiltrated data provides threat actors enough personal context to conduct targeted phishing campaigns against staff, students, and parents alike." Individuals tied to affected institutions should expect potential phishing and impersonation attempts and be prepared to verify unusual requests through known, separate channels.
- Institutions and administrators: Halcyon recommended institutions issue phishing advisories and direct communications immediately, noting that "Leaked records can be used to impersonate school administrators, IT support, or financial aid offices in follow-on attacks."
- Security teams and technologists: Alongside Instructure's stated mitigation steps, teams should assume exposed metadata could be used in social-engineering attacks and plan for targeted detection and response activities for credential theft and phishing campaigns.
Instructure's disclosure frames a set of concrete trade-offs: the company reports it obtained the returned data and a digital promise of destruction and that customers will not be individually extorted, while acknowledging residual uncertainty when dealing with criminal actors. The company has moved to limit the specific Free-For-Teacher pathway used by the attackers and to rebuild credentials and tokens, and it has brought in external vendors for forensic work — measures the company described as part of an effort to give customers "additional peace of mind." Whether those steps, and the digital confirmations supplied by the attackers, satisfy customers and the institutions affected will depend on the results of the ongoing forensic review and any further communications from Instructure.
Read the original report: https://thehackernews.com/2026/05/instructure-reaches-ransom-agreement.html
