Instructure paid ransom after 3.65TB Canvas breach

Instructure, the Utah-based owner of the Canvas learning platform, said it reached an agreement with the ShinyHunters extortion group and paid a ransom after attackers stole about 3.65TB of data from nearly 9,000 schools and universities. The company said the files were returned and it received digital confirmation the data were destroyed, and that the agreement covers all impacted customers and prevents separate extortion demands.

The breach first appeared late last month when attackers exfiltrated a large archive of Canvas data. A second wave of activity tied to the incident was detected on May 7, 2026, when roughly 330 institutions had their Canvas login portals defaced with extortion messages. The attackers set a May 12 deadline to negotiate or publish the stolen material.

Instructure traced initial access to a vulnerability related to support tickets in its Free-for-Teacher environment. The attackers used that access to remove roughly 3.65TB of data, the company said.

The firm estimated the theft included about 275 million records containing usernames, email addresses, course names, enrollment information and messages. Instructure stated that course content, student submissions and account credentials were not accessed.

In response, Instructure temporarily shut down Free-for-Teacher accounts, revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways and deployed additional security controls. The company is working with external vendors on forensic analysis, cybersecurity improvements and a comprehensive review of the data. It declined to disclose the technical details of the vulnerability or the amount paid to the attackers.

Instructure wrote in its update: “While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible.” The company also said it has been informed that none of its customers will face separate extortion demands as a result of the incident.

Halcyon, a cybersecurity firm, warned the exfiltrated records could enable targeted phishing campaigns. “The exfiltrated data provides threat actors enough personal context to conduct targeted phishing campaigns against staff, students, and parents alike,” the firm said, and recommended that affected institutions issue phishing advisories and direct communications to students, parents and staff.

Investigations and remediation work are ongoing as Instructure works to restore customer confidence and prevent further unauthorized access.