Canvas Data Breach: Instructure Reaches Deal With ShinyHunters To Return User Data

Instructure, the company behind the widely used Canvas learning management platform, says it has reached an agreement with the hackers responsible for last week’s cyberattack. The breach briefly disrupted Canvas services and reportedly involved the theft of nearly 3.5 terabytes of student-related data. The hacking group ShinyHunters had earlier claimed responsibility for the attack and threatened to leak the stolen data online unless a “settlement” was reached. Now, according to Instructure, the stolen information has been returned and the hackers have promised not to extort customers further.Instructure Says Data Has Been ReturnedThe update was confirmed by Instructure CEO Steve Daly in a company blog post. According to the company, the agreement included

the return of the stolen data along with what it described as “digital confirmation of data destruction.”“Instructure reached an agreement with the unauthorized actor involved in this incident,” the company said in its statement. “As part of that agreement the data was returned to us, we received digital confirmation of data destruction (shred logs), we have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”The company also added that protecting users remains its top priority and said it took the decision to provide “additional peace of mind” to affected customers.Did Instructure Pay The Hackers?While Instructure has not directly confirmed whether money was paid to the attackers, the wording of the announcement strongly suggests some form of settlement may have taken place. Cybersecurity experts have often warned that ransom payments can encourage future attacks. There’s also no absolute guarantee that hackers will fully delete stolen data even after making such promises.One detail that raised questions online was the company claiming the data had been both “returned” and “destroyed.” Instructure has not publicly explained how that process worked.Canvas Services Slowly ReturningMost Canvas systems are now back online after temporary disruptions caused by the breach. The company says it is continuing forensic investigations with cybersecurity experts while also strengthening its systems. Last week, Instructure had revealed that attackers allegedly used Free-For-Teacher accounts as part of the breach. In response, the company temporarily shut down those accounts to contain the incident. At the moment, Instructure has not confirmed when Free-For-Teacher access will be fully restored. The company is also expected to share more technical details about the cyberattack during an upcoming webinar.