Instructure, whose Canvas learning management software was compromised, claims to have “reached agreement” with the extortionist hackers at the last minute in order to halt release of roughly 275 million records from more than 8,800 educational institutions.

by Timothy Page

Instructure, the company behind the widely used Canvas learning management system, announced last-minute, on May 11 that it reached an agreement with the extortion group ShinyHunters, resolving a high-profile data breach that impacted millions of students, educators, and staff worldwide, including users at Vermont institutions such as Middlebury College. The resolution averts an immediate public data leak but has ignited debate about the ethics and long-term consequences of negotiating with cybercriminals.

According to Instructure’s official Security Incident Update & FAQs and reporting by Krebs on Security, the company first detected unauthorized activity in its cloud-hosted Canvas environment on April 29, 2026. Instructure stated: “On April 29, 2026, we detected unauthorized activity in Canvas.” The attackers, operating as ShinyHunters, exploited weaknesses associated with the company’s Free-for-Teacher (FFT) program. This program allowed individual educators to create and use Canvas instances for free without the same level of institutional sponsorship or rigorous identity verification applied to paid enterprise accounts. The vulnerability or misconfiguration in how these free accounts were isolated from the broader production environment provided the initial foothold.

Once inside, the attackers exfiltrated approximately 3.65 terabytes of data, encompassing roughly 275 million records from more than 8,800 educational institutions. The stolen dataset included full names, email addresses (both school and personal), student or user ID numbers, course enrollment information, and billions of private messages exchanged between students, teachers, and staff. Instructure initially stated the incident was contained. However, on May 7, ShinyHunters escalated by using the same Free-for-Teacher-related access to deface login pages for hundreds of institutions (around 330 affected portals). These defaced pages displayed ransom-style messages accusing Instructure of ignoring them and applying only superficial “security patches.”

This second wave forced Instructure to take Canvas (along with Beta and Test environments) offline temporarily, causing widespread disruptions during finals week. In response, the company revoked credentials, rotated keys, deployed patches, increased monitoring, and permanently shut down the Free-for-Teacher program.

On May 11 — one day before the final May 12 deadline — Instructure publicly confirmed it had reached an “agreement” with the threat actors for an undisclosed sum. From Instructure’s Security Incident Update & FAQs: “To our Instructure community, I’ll start where I should: with an apology. … We reached an agreement with the unauthorized actor involved with this incident. As part of this agreement, the data was returned to us, and we received digital confirmation of data destruction (shred logs). We were also informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.” Key elements of the deal include the full stolen dataset being returned to Instructure, digital shred logs confirming data destruction, and assurances that no individual schools, districts, or users would face separate extortion demands. ShinyHunters also removed Instructure and the affected institutions from their public leak site. Instructure described the decision as necessary to protect sensitive student and faculty communications and issued a public apology for its earlier lack of transparency. While the company avoided explicitly calling the payment a “ransom,” cybersecurity experts widely characterize it as such.

Even with returned data and shred logs, experts emphasize that complete and verifiable destruction is nearly impossible to confirm. Copies may still exist with the original attackers, their affiliates, or insiders. The data could resurface on dark web markets months or years later and be weaponized for sophisticated phishing campaigns that reference real course details, conversations, or student IDs. Vermont users at Middlebury College, the Vermont State Colleges System (vsc.instructure.com), Vermont Law and Graduate School, and the Vermont Virtual Learning Cooperative (VTVLC) should continue heightened vigilance.

Many in the cybersecurity community commend Instructure for limiting immediate harm to students and protecting private communications. However, critics argue that paying extortion groups validates and incentivizes this business model, making education platforms more attractive targets in the future. The incident has renewed calls for regulatory oversight of ed-tech vendors, stricter isolation between free and paid environments, mandatory transparency standards during breaches, and improved data minimization practices.

Vermont users should change their Canvas password immediately and enable multi-factor authentication (MFA) on all related accounts. They should scrutinize any communications referencing specific school details, courses, or past messages, monitor for suspicious account activity, and contact their institution’s IT department for any localized guidance. While the immediate crisis appears resolved and Canvas is fully operational, the breach serves as a stark reminder of the vulnerabilities inherent in centralized cloud platforms serving the education sector. Long-term improvements in security architecture and policy will be essential to prevent recurrence.