Instructure, the maker of the popular school information portal Canvas, announced Tuesday that it had “reached an agreement” with the hackers who twice breached its systems, stole vast amounts of student and faculty data, and disrupted the thousands of schools that rely on its software.
The financially motivated cybercriminal group ShinyHunters claimed responsibility for the April 29 data breach, claiming that it stole the data of a total of 275 million students, faculty and staff, including personal information. The hackers said they had breached Canvas, which is used by about 9,000 schools to manage student data and classes.
Hackers breached the company for a second time last week by defacing the school website Canvas’ login page as part of an effort to force the company to pay a ransom.
Instructure said on its incident page late Monday that as part of the agreement, the hackers provided evidence that the stolen data would be destroyed and that Canvas customers would not be extorted.
The company acknowledged that “there is never complete certainty” when negotiating with cybercriminals, but noted that customers do not need to engage with hackers.
Financial terms of the deal were not disclosed, and Instructure did not say how much it paid the hackers. Instructure spokesman Brian Watkins declined to comment beyond the company’s statement or answer questions about the agreement when contacted Tuesday.
In a post on the leak site seen by TechCrunch, ShinyHunters threatened to release stolen data taken from Instructor unless Instructor paid its extortion demands.
As of Tuesday, the listing has been removed from ShinyHunters’ page, indicating that a ransom may have been paid.
A ShinyHunters representative told TechCrunch: [sic] Customers will no longer be targeted or contacted for payment by us. ”
It’s unclear why Instructor paid the hackers. Governments, including the United States, have long urged victims of cybercrime not to pay ransoms to hackers. This is because cybercriminals can profit from attacks. Security researchers argue that victims cannot believe the words of malicious hackers. Some cybercriminals have been found keeping stolen data, even though they claimed to have deleted it in order to continue extorting victims.
The hack into its infrastructure mirrors the cyber attack on Power School, which suffered a massive data breach in 2024 that affected 70 million students, faculty and staff. PowerSchool, which also makes school information software, paid the hackers to return the stolen data, but then some of its customers were blackmailed by another criminal group who showed them data from the breach that was not destroyed.
The FBI said in a statement last week that it is “aware” of system failures impacting schools and educational institutions across the country. The notice did not name Canvas, but stated that victims “must not send any money or respond to” the cybercriminal’s requests.
The data stolen from In Structure, some of which TechCrunch has seen, includes student names, personal email addresses, and messages exchanged between teachers and students, including private and personal information.
Instructure acknowledged on its website that hackers had breached its systems twice within a year, but said the two breaches were “separate events” involving different systems.
Instructor said it is still investigating the breach and verifying its findings.
It’s unclear who is overseeing or responsible for cybersecurity other than Instructure’s CEO Steve Daley. When contacted by TechCrunch, Infrastructure declined to say whether Daly plans to resign in the wake of the data breach.
Has your Canvas administrator or school been notified of a breach? Have you received an extortion request from a hacker? We want to hear from you. To contact this reporter securely, please contact us via the Signal username zackwhittaker.1337.
Updated with response from Instructor.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
