Canvas’ parent company, American education technology company Instructor, announced it had reached an “agreement” with a decentralized cybercrime extortion group after the group infiltrated its network and threatened to divulge information stolen from thousands of schools and universities.
In an update shared on Monday, the Utah-based company said it had “reached an agreement with the unauthorized actors involved in this incident,” citing “concerns about potential data disclosure.”
In making the controversial decision to pay the ransom to avoid a breach, the company said the deal covered all affected customers and that stolen data was returned with digital confirmation of data destruction. The company also said it has received reports that no individual customers of the company will be extorted as a result of the hack.
“While there is no such thing as absolute certainty when dealing with cybercriminals, we believe it is important to take every step within our control to provide our customers with added peace of mind wherever possible,” Instructor said.
It also said it is working with specialized vendors to support forensic analysis, improve its cybersecurity posture and conduct a comprehensive review of relevant data.
This disclosure comes as the ShinyHunters extortion team launched a digital attack late last month against Canvas, a popular web-based learning management system, resulting in the theft of 3.65 TB of data. This incident affected approximately 9,000 organizations.
Although the breach was initially thought to be contained, a second wave of fraud related to the same incident was detected on May 7, 2026, when approximately 330 institutions’ Canvas login portals were defaced with extortion messages, and Instructure was given a deadline of May 12, 2026 to negotiate a ransom or risk a data breach.
The attackers allegedly gained initial access by exploiting an unspecified “support ticket” vulnerability in the Free-for-Teacher environment and siphoned approximately 275 million records, including usernames, email addresses, course names, registration information, and messages. Instructor emphasized that no course content, submissions, or credentials were compromised.
In response to this breach, Instructor has temporarily closed the Free-For-Teacher account. The company did not disclose the nature of the vulnerability, but said it has revoked privileged credentials and access tokens on affected systems, rotated internal keys, restricted token creation paths, and implemented additional security controls.
“The leaked data provides threat actors with enough personal context to conduct phishing campaigns targeting staff, students, parents, etc.,” Halcyon said.
“Leaked records could be used to impersonate school administrators, IT support, or financial aid offices in subsequent attacks. Students, parents, and staff at affected institutions should be considered, and institutions should immediately issue phishing advisories and contact them directly.”
Source link
