Instructure, the company behind the widely used Canvas school software platform, announced Tuesday it has “reached an agreement” with the cybercrime group that breached its systems twice and stole data on an estimated 275 million students and staff members.
The hacking group ShinyHunters claimed responsibility for an initial breach on April 29, 2026, stealing personal information including students’ names, email addresses, and private messages exchanged between teachers and students. Nearly 9,000 schools use Canvas to manage student data and coursework. When Instructure did not immediately comply with the group’s ransom demand, ShinyHunters breached the company a second time, defacing Canvas login pages on school websites as additional pressure to pay.
Instructure said hackers provided evidence that the stolen data had been destroyed and that Canvas customers would not face further extortion. Financial terms were not disclosed. The company’s spokesperson did not respond to requests for comment. As of Tuesday, ShinyHunters’ listing of the stolen data had been removed from the group’s leak site. A ShinyHunters representative told TechCrunch: “The data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us.”
Instructure acknowledged there is “never complete certainty” when negotiating with cybercriminals. The FBI issued a statement last week saying it was “aware” of disruptions affecting schools and educational institutions, and advised victims to “not send payment or respond” to cybercriminal demands.
The incident draws comparisons to a 2024 breach at PowerSchool, a rival school software maker, which paid hackers to recover stolen data affecting 70 million students and staff — only for customers to later face extortion from another group that retained copies of the data.
Security researchers have warned that victims cannot rely on hackers’ promises to delete stolen data, as some cybercriminals have continued extorting victims after claiming to have done so. Instructure said it is still investigating the breach and validating its findings.
Source: TechCrunch