Instructure (Canvas LMS) Reaches Agreement with ShinyHunters to Suppress Stolen Data – May 2026

Lifecycle changed

monitoring → closed

Event Closed

auto_closed_monitoring_timeout

Status changed to monitoring

Auto-transitioned: no updates for 6 hours

active → monitoring

Status changed to active

remediation: existing active criteria met

developing → active

Merged with: ShinyHunters Ransomware Attack on Instructure Canvas Disrupts ~9,000 Universities & Schools – May 2026

Event "ShinyHunters Ransomware Attack on Instructure Canvas Disrupts ~9,000 Universities & Schools – May 2026" (slug: shinyhunters-ransomware-attack-on-instructure-canvas-disrupts-9-000-universities) merged into this event.

Merged with: ShinyHunters Breaches Instructure Canvas LMS – Data Theft & Portal Defacement – April–May 2026

Event "ShinyHunters Breaches Instructure Canvas LMS – Data Theft & Portal Defacement – April–May 2026" (slug: shinyhunters-breaches-instructure-canvas-lms-data-theft-portal-defacement-april-) merged into this event.

Merged with: Canvas/Instructure Data Breach – Hackers Strike Deal to Delete Stolen Student Data – May 2026

Event "Canvas/Instructure Data Breach – Hackers Strike Deal to Delete Stolen Student Data – May 2026" (slug: canvas-instructure-data-breach-hackers-strike-deal-to-delete-stolen-student-data) merged into this event.

The U.S. House Committee on Homeland Security has called on Instructure executives to testify about two cyberattacks carried out by the ShinyHunters extortion group targeting the Canvas learning platform. The attacks resulted in the theft of student data and disrupted schools during final exam periods. The congressional inquiry marks an escalation in governmental scrutiny of the incident and its impact on educational institutions nationwide.

Source: BleepingComputer (Trade Media) · View source

Initial Detection

Instructure, the parent company of the widely-used Canvas online learning platform, suffered a cyberattack that resulted in the theft of student and faculty data. The breach caused significant disruption, including delays to final examinations. Instructure subsequently reached an agreement with the threat actors to delete the stolen data, suggesting a ransomware or extortion-style negotiation.

Instructure, the parent company of Canvas, said in an online post that it 'reached an agreement with the unauthorized actor involved in this incident'. The hack caused chaos for students and faculty last week, delaying some final exams.

Source: The Guardian World (Mainstream Media) · View source

Instructure, the company behind the Canvas learning management system, has confirmed it paid a ransom to the ShinyHunters extortion group following a data breach, with the company stating the agreement resulted in stolen data being 'returned' and digital confirmation of its destruction. The US Congress has announced an investigation into the incident. This represents an escalation of the previously reported 'agreement' between Instructure and ShinyHunters.

Source: The Record (Cyber) (Trade Media) · View source

Status changed to developing

Auto-promoted: multiple corroborating sources

Instructure, the company behind the Canvas learning management system, has confirmed it 'reached an agreement' with the ShinyHunters hacking group following a data breach that disrupted thousands of colleges and universities. The company reportedly paid the criminals to delete stolen student data. This BBC World coverage adds mainstream media corroboration to the incident previously reported by BleepingComputer.

Source: BBC World (Mainstream Media) · View source