In 2025, just 19% of non-encrypted extortion victims paid, according to Coveware. Instructure has just joined this minority. On May 11, 2026, the publisher of Canvas (a learning management system), confirmed that it had reached an “agreement” with ShinyHunters to prevent the publication of data stolen from its platform, used by over 30 million teachers and students in more than 8,000 institutions worldwide. The company paid an undisclosed ransom, but unconfirmed sources put the figure in the tens of millions of dollars, for a case of pure exfiltration. This is the second time in eighteen months that a major educational software publisher has paid out after a pure exfiltration; PowerSchool had done the same in December 2024, before its customers were extorted again with the data allegedly destroyed.
Two intrusions, one XSS flaw never closed
The initial intrusion was detected on April 29, 2026. Unidentified actors penetrated the Canvas environment via the free Free-for-Teacher service, a light version aimed at individual teachers. The vector, confirmed by BleepingComputer, relied on XSS (cross-site scripting) vulnerabilities embedded in the user-generated content functionalities: malicious JavaScript injected to capture authenticated administrator sessions, then the execution of privileged actions from these accounts. ShinyHunters did not claim responsibility for the attack on its leak site until May 3.
On May 7, five days later, the same actors returned through the same door, which had remained open. This time, the objective was no longer exfiltration, but pressure: ShinyHunters modified the Canvas login pages displayed to certain users to display an extortion message urging Instructure and the establishments to open negotiations before May 12. Around 330 login portals were defaced, including that of the University of Texas at San Antonio, whose capture broadcast by BleepingComputer has become the iconic image of the incident. Instructure switched Canvas to maintenance the same day, detecting and neutralizing this second attack within 10 minutes, thanks to the reinforced surveillance deployed after the first access.
It is precisely this loophole left gaping between the two intrusions that is the focus of the Congressional committee’s criticism. Representative Andrew Garbarino (R-NY), Chairman of the House Homeland Security Committee, wrote directly to CEO Steve Daly: ” the recurrence of an intrusion in the days following the initial disclosure, and Instructure’s apparent inability to fully remediate the underlying vulnerabilities during this window, raise serious questions about the company’s incident response capabilities “.
3.65 TB of data stolen, but no copies or passwords
ShinyHunters claims the theft of 3.65 TB of uncompressed data, or around 275 million records belonging to students, teachers and staff from 8,809 educational organizations. Instructure has confirmed that the exfiltrated fields include usernames, e-mail addresses, course titles, registration information and messages exchanged on the platform. The company was also explicit about what escaped the attackers: course content, assignments and passwords remained intact.
This nuance calibrates the real risk to users. As Halcyon summarized, the exfiltrated data ” provides threat actors with enough personal context to conduct targeted phishing campaigns against staff, students and families “. An attacker who knows a student’s e-mail address, their university, their courses and the names of their lecturers can fabricate frighteningly credible lures: fake IT service, fake financial aid, impersonation of a professor. For the institutions concerned, their members become priority spear-phishing targets for the months to come. Instructure has published an incident sheet with awareness measures for users, detailing the most likely phishing scenarios following this leak.
Paying for exfiltration, against the market trend
What makes this incident worth analyzing, beyond its chronology, is that Instructure paid without any system being encrypted or any data made inaccessible. The dynamics of pure extortion are very different from those of classic ransomware. In the third quarter of 2025, the payment rate for attacks without encryption fell to 19%, according to Coveware. The rate for all categories combined was 28%, according to Chainalysis , an all-time low, compared with 37% in Q4 2022 in a Coveware report. This drop is part of a structural decline in ransomware payments by 2025, fuelled by both improved incident response capabilities and coordinated law enforcement action against operators and their infrastructure.
The PowerSchool precedent provides the clearest illustration of this. In December 2024, the school management software publisher paid for the deletion of stolen data. By May 2025, however, several school district customers were receiving extortion messages based on the same data allegedly destroyed. The payment had done nothing to prevent this.
Instructure defends its decision in measured terms: ” While there is never absolute certainty when dealing with cybercriminals, we felt it was important to take every measure in our power to offer our customers additional peace of mind, wherever possible. ” In return, the company claims to have recovered the data, obtained digital confirmation of destruction in the form of shred logs, and assurances that none of its customers will be separately extorted. The ShinyHunters leak site has effectively removed the Instructure entry, in line with the group’s usual post-payment behavior.
The limit of the agreement lies in one sentence from Rebecca Moody, head of data research at Comparitech: ” ShinyHunters are cybercriminals. Even by paying this ransom demand, Instructure cannot guarantee that the data will be removed. ” Michael Klein, Senior Director at the Institute for Security and Technology, goes further: in his view, the type of data involved, unlike medical data that could cause physical harm, did not justify payment in terms of the criteria that usually form the basis for an exception to the consensus against ransom payments.
ShinyHunters, a front for a mafia-style alliance
The question of attribution needs to be asked with precision. Since 2020, the name ShinyHunters has been associated with massive database theft and monetization operations, with Ticketmaster, AT&T and Santander among the best-known victims. But Allison Nixon, Research Director at Unit 221b, which closely follows the group, warns against reading too much into it: the constellation of players operating under the ShinyHunters, Lapsus$ or Scattered Spider banners has recomposed itself over time. Canvas activity seems to fall under what some researchers refer to as Scattered Lapsus$ Hunters, an alliance federating these groups under a common identity since August 2025.
Allison Nixon describes pressure tactics that go far beyond digital extortion: during negotiations, the associated groups resort to DDoS attacks, spam campaigns and, in the most serious cases, direct threats against executives and their families. ” These pressure tactics are beginning to resemble a violent mafia rather than anything resembling skilled hacking,” she sums up. The May 7 defeat was exactly that: a show of force, not another exfiltration.
Nor is Canvas an isolated coup. In March 2026, the group claimed responsibility for the hacking of the European Commission, publishing a first archive of 90 GB and threatening to distribute the entire file. In January 2026, a massive vishing campaign targeting the SSO accounts of global enterprises had revealed the rise of social engineering techniques combining fraudulent calls and phishing kits capable of bypassing multi-factor authentication. The Canvas attack extends this trajectory of escalation.
Congress investigates a disarmed education sector
The decision to pay came on the same day that the House Homeland Security Committee announced the opening of an investigation. Garbarino called for a briefing before May 21 with the CEO or a senior executive of Instructure, covering the circumstances of the two intrusions, the nature and volume of data accessed, and coordination with federal law enforcement and CISA. For its part, the Department of Education’s Student Privacy Policy Office requested information to assess compliance with FERPA (Family Educational Rights and Privacy Act).
But above all, the incident exposes a structural deficit in American educational cybersecurity, deepened by recent federal policy choices. Michael Klein, former senior cybersecurity advisor at the Department of Education, recalls that during the PowerSchool incident in December 2024, he was able to bring 41 states together in a matter of days via the Critical Infrastructure Partnership Advisory Council (CIPAC) to share information and coordinate the response. That mechanism is gone: the Department of Homeland Security removed the council’s authority just over a year ago, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), which provided school districts with free access to threat intelligence and incident response, lost its $48.5 million federal funding as of September 2025 , after an initial cut of around $11 million in spring 2025. Faced with the Canvas incident, from his position at the Institute for Security and Technology, Michael Klein was only able to coordinate 22 states.
On May 12, the Software & Information Industry Association wrote to both houses of Congress to request $36 million in the FY 2027 budget: $20 million to refinance MS-ISAC, $10 million to re-establish a dedicated K-12 cyber incident management assistance center, and $6 million to restore the Department of Education to its coordinating role. The sector now publicly admits to having lost, in eighteen months, the collective incident response capabilities it still had.
Class actions, FERPA and RGPD in the legal arena
Several class actions (class actions allowing a group of plaintiffs to sue jointly) have already been filed in federal district courts. One of the plaintiffs argues that Canvas’ offline status deprived her of access to her course materials the day before a final exam scheduled for May 8, the day after the shutdown. The legal framework is complex: FERPA does not give individuals a direct right of action against companies, so recourse is limited to state consumer protection laws and negligence theories. Instructure’s responsibility for the XSS flaw left open between the two intrusions is likely to be at the heart of these proceedings.
For European institutions using Canvas, RGPD obligations add to the picture. The personal data of European users , e-mail addresses, identifiers, messages , fall under the regulation, which requires notification to the supervisory authorities within 72 hours of knowledge of a breach.
A deal with criminals, no guarantees for users
Instructure has announced the deployment of CrowdStrike’s Falcon EDR tool across its entire network, revoking compromised tokens and access keys, rotating internal keys and restricting token creation mechanisms. The Parchment platform, separate from Canvas, was not affected, as a scan targeting the incident’s indicators of compromise revealed no abnormal activity there.
The fact remains that paying for data that has already been exfiltrated does not extinguish the downstream risk. The FBI has hammered home this point: an FBI spokesperson speaking to The Record warns that a message from ShinyHunters ” does not necessarily mean that your personal information has been compromised “, and strongly advises against any payment or response to requests. Establishments and users should assume that exfiltrated data can circulate independently of the agreement made between Instructure and its extortionists.
An agreement with a criminal group does not bind its own members, nor third parties to whom copies may have been transmitted prior to the alleged destruction. This is the lesson of the PowerSchool precedent. At a time when the ransom payment rate is at an all-time low, Instructure’s decision acts as a counter-signal. As Cliff Steinhauer (National Cybersecurity Alliance) puts it in Inside Higher Ed, this type of payment “reinforces the economic incentive structure behind cyber-extortion ” and risks ” normalizing payment as an incident response strategy, which law enforcement routinely advises against because it fuels new attacks “.
In the short term, therefore, the alert is being sounded by the institutions, not by Instructure. The practical response can be summed up in a few simple steps: immediately issue personalized phishing notices to students, teachers and administrative staff, specifying which data has been exposed and which usurpations to watch out for: fake messages from the administration, fraudulent password reset links, solicitations imitating financial services linked to tuition fees. Staff whose e-mail addresses appear in the leak should check their accounts for suspicious activity and reinforce their multi-factor authentication. While the payment has enabled Instructure to close the media file, it has not closed the data file: it will be the coming months, and not the confirmation of ShinyHunters’ destruction, that will tell whether the leak has really been contained.
Sources
- Instructure: Security Incident Update & FAQs
- BleepingComputer: Instructure reaches ‘agreement’ with ShinyHunters to stop data leak
- BleepingComputer: Instructure confirms hackers used Canvas flaw to deface portals
- The Record: Instructure pays ransom after Canvas incident as Congress announces investigation
- The Hacker News: Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak
- DataBreaches: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway
- Higher Ed Dive: Canvas owner reaches ‘agreement’ with threat actors after data breach
- KrebsOnSecurity: Please Don’t Feed the Scattered Lapsus ShinyHunters
- Inside Higher Ed: Instructure Pays Ransom to Canvas Hackers
