Instructure says it has reached an agreement with the unauthorized actor behind the recent Canvas breach, saying the agreement would prevent further customer extortion that disrupted schools and universities during final exams and exposed user data from the learning management platform.
The agreement covers affected customers, Instructure said, meaning individual schools do not need to negotiate separately with the actor.
The company disclosed on Monday that the stolen data had been returned, that it received digital confirmation of destruction through “shred logs” and that no Instructure customers would be extorted publicly or otherwise as a result of the incident.
Instructure says the exposed data included usernames, email addresses, course names, enrollment information and messages.
Instructure has not disclosed the terms of the agreement or confirmed a ransom payment. Reuters reported that ShinyHunters, the hacking group that claimed responsibility for the breach, told the news agency the data had been deleted and that the company and its customers would not be contacted for further payment.
The access path
The breach focused on Canvas, Instructure’s cloud-based learning management system. Instructure describes Canvas LMS as serving more than 30 million active users globally and says the platform is built as a multi-tenant SaaS system.
Instructure detected unauthorized activity in Canvas on April 29 and revoked the actor’s access. It then identified additional unauthorized activity on May 7, when some students and teachers saw altered Canvas pages after logging in. The company temporarily took Canvas offline while it investigated and applied safeguards.
Instructure has tied both rounds of unauthorized access to an issue involving Free-for-Teacher accounts. The company temporarily shut down those accounts to remove the access path, revoked privileged credentials and access tokens, rotated internal keys, restricted token creation pathways and added monitoring across its platforms.
The Free-for-Teacher terms show the service was designed for individual and school-linked use, with schools responsible for duties tied to FERPA, COPPA and student consent. The compromised access path existed in a no-cost account environment that schools can link to production instances, which is now drawing regulatory attention.
Federal scrutiny begins
The company has found no evidence that course content, submissions, credentials, passwords, birth dates, government identifiers or financial information were compromised. It also says it has found no evidence that additional data was taken during the May 7 activity.
ShinyHunters has claimed a much larger haul involving hundreds of millions of users across nearly 9,000 institutions. The House Homeland Security Committee cited those claims in a May 11 letter request but noted that the full scope remains under investigation.
Congressional and department oversight
The committee asked Instructure to brief lawmakers on the nature of the breach, the amount and type of data compromised, its incident response and its coordination with federal law enforcement and CISA.
Chairman Andrew Garbarino said the recurrence of activity after an initial breach disclosure raised questions about Instructure’s response and obligations to institutions and users whose data it holds.
The Education Department has also entered the response. Federal Student Aid said senior department leaders are in contact with Instructure’s chief information security officer, while the Student Privacy Policy Office has requested information from the company to assess FERPA compliance.
Recovery status and compliance reviews
Canvas is now fully operational, and Instructure says its external forensic partner found no evidence the threat actor currently has access to the platform. The company is still validating customer-specific data, conducting a forensic review and preparing legal and regulatory notifications where required.