Skip to main content
Emerging ThreatsData Breaches

Instructure Thwarts ShinyHunters Data Leak with Agreement

Laptop on a desk with blurred background, conveying containment and resolution.

"We understand how unsettling situations like this can be, and protecting our community remains our top priority. With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident," the company said.

Instructure says it reached an agreement with ShinyHunters

Instructure, the maker of the Canvas learning management system used by more than 30 million educators and students across more than 8,000 schools and universities worldwide, told customers it has reached an "agreement" with the extortion group ShinyHunters to prevent the release of data stolen in a recent breach. The company reported that the actor returned the stolen data and provided shred logs it says confirm the data's destruction.

Instructure added that "no Instructure customers will be extorted as a result of this incident, publicly or otherwise," and that the agreement "covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor." The company also said its leadership will provide additional information and discuss measures taken to secure systems in a May 13 webinar.

How ShinyHunters exploited the Free-for-Teacher Canvas environment

ShinyHunters claimed responsibility for the breach and said it stole more than 3.6 TB of uncompressed data. Instructure confirmed to BleepingComputer that the attackers exploited a security issue in the Free-for-Teacher environment, a free, limited version of Canvas LMS for individual educators.

BleepingComputer reported that the attacker leveraged multiple cross-site scripting (XSS) vulnerabilities. According to that reporting, ShinyHunters injected malicious JavaScript into user-generated content features that exploited Canvas XSS flaws, obtained authenticated admin sessions, and performed privileged actions. Instructure said the unauthorized actor "made changes to the pages that appeared when some students and teachers were logged in through Canvas."

Extortion attempt, defacement, and Instructure's operational response

The group also carried out a second intrusion on May 7, using the same vulnerability to deface Canvas login portals and leave an extortion message, warning that Instructure and its customers had until May 12 to enter negotiations. In response, Instructure temporarily shut down Free-for-Teacher accounts and said Canvas has since been "restored and is fully back online and available for use."

The company recommended that customers "continue normal monitoring of their Canvas environments, integrations, and administrative activity" while it works "to resolve these security issues to prevent future incidents." Instructure did not share additional technical details about the breach or the defacements beyond what BleepingComputer reported about the XSS-based technique.

What this means for educators, IT/security teams, and regulators

  • Educators and students: Many users of Canvas—reported by Instructure as more than 30 million—should treat normal monitoring advice as operational guidance. Instructure's statement that no customers will be extorted and that the agreement covers all impacted customers aims to limit individual outreach to the attacker.
  • IT and security teams at affected institutions: Teams will need to assess integrations and administrative activity, monitor for anomalous logins or privileged changes, and review whether any data tied to their accounts was among the claimed 3.6 TB of stolen material. The temporary shutdown of Free-for-Teacher accounts shifts immediate exposure assessment toward those specific environments.
  • Policymakers and regulators: The company has scheduled a May 13 webinar in which leadership will explain measures taken to secure systems against future breach attempts; regulators and oversight bodies may use that briefing to inform any follow-up inquiry or compliance review.

Shred logs, ransom warnings, and what comes next

Instructure says the unauthorized actor returned stolen data and provided shred logs confirming destruction. At the same time, the company’s statement was coupled with a standard caveat echoed in reporting from BleepingComputer: as the FBI has repeatedly warned, paying a ransom does not guarantee that threat actors will not also sell the stolen data to other cybercriminals or attempt to extort victims again.

The breach follows a September 2025 disclosure by Instructure of a separate incident—also claimed by ShinyHunters—that exposed data from the company's Salesforce instance. ShinyHunters has previously claimed responsibility for breaches at organizations including Rockstar Games, ADT, Vimeo, McGraw-Hill, Medtronic, and Zara.

Instructure's May 13 webinar is the named next step for customers and observers seeking additional detail on the company's technical remediation and the extent of the impact. The company's claim that customers will not face extortion and its presentation of shred logs will be central to whether the agreement with ShinyHunters is viewed as a final mitigation or an interim outcome with lingering risk.

Original reporting: BleepingComputer — Instructure reaches 'agreement' with ShinyHunters to stop data leak