Instructure, the maker of the popular school website Canvas, said Tuesday it had “reached an agreement” with hackers who breached its systems twice, stole large amounts of student and staff information, and disrupted thousands of schools that rely on the company’s software.
ShinyHunters, a financially motivated cybercrime group, gained notoriety in the April 29 data breach, claiming to have stolen student and employee data, including personal information, of 275 million people. The hackers claim to have compromised Canvas, which is used by nearly 9,000 schools to manage their student information and courses.
Hackers last week breached the company for a second time, defacing Canvas login pages on school websites, as part of an effort to pressure the company into paying their ransom.
Instructure on the incident page on Monday night said that as part of the agreement the hackers provided evidence that the stolen information was destroyed, and that Canvas customers will not be defrauded.
The company admitted that there is “no absolute certainty” when dealing with hackers, but noted that customers should not contact hackers.
Financial terms of the deal were not disclosed, and Instructure did not say how much it paid the hackers. Department spokesman Brian Watkins did not respond to a request for comment, or respond to questions about the agreement when contacted Tuesday.
In a post on its leak site, seen by TechCrunch, ShinyHunters threatened to publish the stolen data it stole from Instructure if the company didn’t pay its ransom demand.
As of Tuesday, the listing had been removed from the ShinyHunters page, indicating that the ransom may have been paid.
A representative from ShinyHunters told TechCrunch: “The data is wiped, it’s gone. The company is too. [sic] customers will no longer be directed or contacted by us to pay.”
It is unclear why Instructure paid the hackers. Governments, including the United States, have long urged victims of cybercrime not to pay criminals, as this helps cybercriminals profit from their attacks. Security researchers have argued that victims cannot trust the name of malicious criminals – some cybercriminals have been found to hold on to stolen data even though they claim to have deleted it to continue defrauding their victims.
The Instructure hack reflects a cyberattack on PowerSchool, which suffered a massive data breach affecting 70 million students and staff by 2024. PowerSchool, which makes school information software, paid hackers to return the stolen data, but several of its customers were later defrauded by another criminal group that showed data from the breach that was not destroyed.
The FBI said in a statement last week that it was “aware” of the system’s disruptions affecting schools and educational institutions around the United States. The notice didn’t mention Canvas, but it did say that victims shouldn’t “send a payment or respond” to the cybercriminals’ demands.
The data stolen from Instructure, some of which TechCrunch has seen, includes students’ names, email addresses, and messages exchanged between teachers and students, including confidential and personal information.
On its website, Instructure acknowledged that hackers breached the company’s systems twice in less than a year, but said the two breaches were “separate incidents” involving different systems.
Instructure said it is still investigating the breach and confirming its findings.
It is unclear who at Instructure oversees or is responsible for cyber security, if not the company’s CEO, Steve Daly. When contacted by TechCrunch, Instructure would not say whether Daly plans to resign following the data breach.
Are you a Canvas administrator or school notified of a breach? Have you received a scam from a scammer? We want to hear from you. To contact this reporter securely, access using the signal username zack whittaker.1337.
If you shop through links in our articles, we may earn a small commission. This does not affect our editorial independence.
