The company behind the Canvas learning platform, Instructure, has reached an agreement with ShinyHunters, who stole 275 million student records this month. The hackers originally threatened to leak the private information of students and teachers unless they were paid by a deadline of 12 May 2026.
The New Agreement
Instructure shared the news on its website in an update dated 11 May 2026. The company revealed that it reached an agreement with the hackers to prevent them from leaking the stolen data, confirming that the stolen data was returned with digital proof of the hackers destroying their copies. This proof is called shred logs, which are technical documents that show files have been permanently deleted.
Instructure says schools and universities don’t need to communicate with the hackers themselves because this one deal covers all institutions involved. They also stated that no customers will be extorted or asked for money by this group.
They, however, didn’t disclose if or how much ransom was paid. Instructure noted that this step was taken to give the impacted families some peace of mind.
How the Attack Happened
This update follows past coverage from Hackread.com detailing how the breach occurred. On 30 April 2026, ShinyHunters exploited a vulnerability in “Free for Teacher” accounts, specifically involving how the system handles support tickets, to hack into the internal networks and steal around 3.65 terabytes of data
On 7 May, the hackers attacked again by defacing the login pages for about 330 schools to show a ransom note. This forced the company to temporarily shut down some services, including Canvas Data 2 and Canvas Beta, which caused problems for school apps that relied on digital connectors called API keys.
During this second attack, students at hundreds of institutes worldwide, including the University of Colorado and Virginia Tech, saw their screens replaced with messages from the hackers. Many students found they couldn’t access their exams or assignments right when they needed them most, causing a lot of stress in classrooms.
The stolen data included sensitive details like names, email addresses, student ID numbers, and course details. Most worryingly, it included billions of private messages sent between teachers and students.
ShinyHunters’ Official Statement
Although the hackers did not publicly confirm receiving payment from Instructure, the group claimed that data linked to Canvas would not be leaked. Referring to the incident as “the recent situation at the LMS company,” the attackers said they were no longer seeking payment and claimed the stolen data had been deleted.
“We have nothing to add on or comment regarding the recent situation at the LMS company. If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us; the matter has been resolved. The Company and its customers will not further be targeted or contacted for payment. The data is nonexistent.”
ShinyHunters
Is the Platform Safe?
Steve Daly, the head of Instructure, apologised to everyone for the stress caused. He confirmed that core data like grades and submitted schoolwork weren’t stolen and that they have now turned off the “Free for Teacher” accounts while they fix the security issues. For now, the company says Canvas is back to normal and safe to use.
“Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised. We’ll give you clear guidance if any action is required on your end. Right now, there’s nothing you need to do,” Daly stated.
Even though a deal was made, students should still be careful since digital data cannot be perfectly recalled, and hackers may have made hidden copies before deleting the originals. They can easily use these details to send realistic phishing emails to trick people.
The company is still investigating the incident. We will share more details as these emerge.
