Instructure says it reached an agreement with the threat actors behind the recent cyberattack targeting its Canvas learning platform.
The company stated that stolen data was returned and that the attackers provided “digital confirmation of data destruction.”
The attack was previously linked to the ShinyHunters extortion group after attackers publicly claimed responsibility for the breach through defaced Canvas login pages displayed to students and faculty during the outage. The group threatened to leak data if negotiations were not opened by May 12.
While Instructure did not explicitly state that it paid a ransom, the arrangement closely mirrors the type of extortion settlement commonly associated with the ShinyHunters cybercrime group, which previously threatened to leak data stolen from Instructure unless negotiations began before a May 12 deadline.
The latest disclosure follows days of outages and disruptions affecting universities and school districts worldwide after attackers breached Instructure’s environment and defaced hundreds of Canvas login portals with ransom-style messages. The incident disrupted access to coursework, assignments, grades, messaging systems, and exam materials during a critical exam period for many institutions.
Instructure is a Utah-based education technology company that operates Canvas, one of the world’s largest cloud-based learning management systems. The platform is used by more than 30 million students, teachers, and administrators across 8,000 educational institutions worldwide, including major universities and K-12 school districts.
In the latest update, Instructure CEO Steve Daly acknowledged customer concerns surrounding the possible publication of stolen data and confirmed the company had reached an agreement with the “unauthorized actor” involved in the breach.
According to the company, the agreement included the return of the stolen data and “shred logs,” which are typically used by ransomware and extortion groups as evidence that copied files were deleted from attacker-controlled systems.
“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” the company said.
The announcement strongly suggests that Instructure entered into a financial settlement with the attackers, although the company avoided directly characterizing the arrangement as a ransom payment. Instructure also said the agreement applies to all affected customers and advised schools and institutions not to engage with the attackers independently.
The company cautioned that there is “never complete certainty when dealing with cyber criminals,” despite the assurances it received from the threat actors.
The latest update comes one day after Instructure publicly confirmed that attackers gained unauthorized access to portions of its environment and exploited a vulnerability tied to the company’s “Free for Teacher” support ticket system.
Exposed data may include usernames, email addresses, course names, enrollment information, and user messages. Instructure maintains that “core learning data,” including coursework, assignment submissions, and credentials, was not compromised.
The company said Canvas is now fully operational, and customers currently do not need to take any action.
Leave a Reply