Instructure Strikes a Deal with Hackers After Two Breaches Hit Canvas Platform

The Instructure Canvas hack has taken a surprising turn. The company behind the widely used school information portal Canvas announced on Tuesday that it has “reached an agreement” with the cybercriminals who infiltrated its systems not once, but twice. This breach exposed sensitive data of millions of students and staff, disrupting thousands of schools that rely on the software daily.

The hacking group ShinyHunters, known for financially motivated cyberattacks, claimed responsibility for the initial breach on April 29. They alleged to have stolen personal information of 275 million individuals, including student and staff data. Canvas serves nearly 9,000 schools, making this one of the largest educational data breaches in recent memory.

What Happened in the Instructure Canvas Hack?

The hackers didn’t stop after the first intrusion. Last week, they struck again, defacing Canvas login pages on school websites to pressure Instructure into paying a ransom. This second attack amplified the urgency for the company to respond.

According to Instructure’s incident page, the agreement required the hackers to provide proof that the stolen data was destroyed. The company also stated that Canvas customers would not be subject to further extortion. However, Instructure acknowledged that there is “never complete certainty” when negotiating with cybercriminals, advising customers not to engage directly with the attackers.

Financial details of the deal remain undisclosed. Instructure spokesperson Brian Watkins declined to comment beyond the official statement when contacted by TechCrunch. On ShinyHunters’ leak site, a listing threatening to publish the stolen data was removed, suggesting a ransom may have been paid.

The Risks of Paying Ransoms in the Canvas Security Incident

This Canvas security incident raises critical questions about the wisdom of paying ransoms. Governments, including the United States, have long urged victims not to comply with hackers’ demands, as it fuels further criminal activity. Security researchers argue that trusting malicious actors is risky, as some groups have been caught retaining stolen data even after claiming deletion.

The situation mirrors the PowerSchool data breach in 2024, where 70 million students and staff were affected. PowerSchool paid the hackers to return the data, but later, another crime group extorted several customers using data that was supposedly destroyed. This precedent highlights the potential pitfalls of negotiating with cybercriminals.

In a statement, the FBI acknowledged the system disruptions affecting schools but advised victims not to send payments or respond to demands. The bureau did not name Canvas specifically but emphasized the broader risks of engaging with hackers.

What Data Was Stolen in the Instructure Breach?

TechCrunch reviewed samples of the stolen data, which included students’ names, personal email addresses, and private messages between teachers and students. This sensitive information could be exploited for identity theft or phishing attacks, putting millions at risk.

Instructure confirmed that the two breaches were “distinct events” involving different systems. The company is still investigating the full scope of the attack and validating findings. Notably, it remains unclear who oversees cybersecurity at Instructure, and the company refused to comment on whether CEO Steve Daly plans to resign following the incidents.

Lessons for Schools and Educational Software Users

For schools using Canvas, this educational software breach serves as a stark reminder of the vulnerabilities in digital learning platforms. Administrators should review their security protocols and ensure that student data is encrypted both in transit and at rest. Regularly updating passwords and enabling multi-factor authentication can also reduce risks.

Internal links to related resources: For more on protecting student data, see our guide on How to Secure School Data. If you’re a school administrator, check out Best Practices for EdTech Security. Learn about Ransomware Response for Schools.

As the investigation continues, the Instructure Canvas hack underscores the importance of proactive cybersecurity measures. While the hackers claim the data is gone, the long-term impact on affected students and staff remains uncertain.