Instructure Reaches Agreement with ShinyHunters to Stop Canvas LMS Data Leak

Instructure, the company behind the widely used Canvas Learning Management System (Canvas LMS), has announced that it has reached an agreement with the notorious hacking group ShinyHunters to halt the release of data stolen during a major cybersecurity breach.

The incident has raised significant concerns across the education sector, as Canvas LMS is used by more than 9,000 educational institutions worldwide, supporting hundreds of millions of students, educators, and staff.

Breach Details and Impacted Data

According to reports, ShinyHunters claimed to have exfiltrated approximately 3.6 terabytes (TB) of data from Instructure’s systems. The compromised data may include:

• Full names of users
• Email addresses and account information
• Student identification numbers
• Course enrollment details
• Private messages between students and instructors
• Certain data linked through connected systems, including Salesforce

Instructure stated that passwords, financial information, and Social Security numbers (SSNs) were not affected by the breach.

Agreement Reached to Prevent Further Data Exposure

Following negotiations with the threat actors, Instructure confirmed that an agreement was reached to prevent additional data disclosure. Key terms reportedly include:

• The stolen data has been returned to the company
• Instructure received digital confirmation of data destruction (“shred logs”), indicating that the attackers deleted the stolen files
• ShinyHunters agreed not to pursue further extortion attempts against Instructure’s customers

While the company has not publicly confirmed whether a ransom payment was made, cybersecurity experts suggest that such agreements often involve some form of financial settlement to contain the damage.

Attack Vector: Exploitation of a Canvas Vulnerability

Reports indicate that the attackers exploited a vulnerability in Canvas’s Free-for-Teacher environment, allowing them to escalate privileges and gain administrative-level access.

The threat actors allegedly used this access not only to steal sensitive data but also to deface Canvas login pages for multiple institutions, displaying ransom messages and threatening public data leaks if negotiations were not initiated.

More than 330 educational institutions were reportedly affected by the login page defacement.

Risks Remain Despite Claimed Data Deletion

Although Instructure says it received proof that the stolen data was deleted, cybersecurity experts caution that there is no way to fully verify that threat actors did not retain copies.

Potential ongoing risks include:

• Phishing attacks using leaked personal information
• Social engineering attempts targeting students and staff
• Credential stuffing or unauthorized access to other systems
• Long-term reputational and compliance challenges for affected institutions

Recommended Actions for Organizations and Users

Organizations using Canvas LMS are advised to take immediate steps, including:

• Reviewing system and audit logs
• Resetting passwords and session tokens
• Enabling Multi-Factor Authentication (MFA) across all accounts
• Checking integrations with third-party platforms such as CRM or cloud services
• Monitoring for unusual login activity or suspicious behavior

Individual users should also change passwords—especially if reused across multiple platforms—and remain vigilant against phishing emails or messages referencing personal academic information.

A Growing Trend in Cyber Extortion

This incident highlights the growing shift toward data extortion attacks, where threat actors steal and threaten to publish sensitive information instead of relying solely on traditional ransomware encryption.

For modern organizations, especially those managing large-scale SaaS platforms, strengthening cyber resilience is no longer optional. Proactive threat detection, robust access controls, and well-tested incident response plans are essential to minimizing the impact of increasingly sophisticated cyber threats.

As this case demonstrates, even when a data leak appears to be “resolved,” the long-term security implications can persist well beyond the initial breach.

#CyberSecurity #DataBreach #DataLeak #Instructure #CanvasLMS #ShinyHunters #CyberAttack #ThreatIntelligence #Ransomware #DataExtortion #InfoSec #SecurityNews #EducationSector #EdTechSecurity #IncidentResponse #CyberResilience #ThreatDetection #SaaSSecurity #DigitalRisk #BigFishtec