Canvas Cyberattack and Data Breach
The company behind the widely used Canvas software, Instructure, experienced a cyber-attack last week that disrupted services at approximately 9,000 universities and colleges across the US, Canada, Australia, and the UK. The attack caused significant interruptions, including exam disruptions, as the Canvas platform became inaccessible.
The hackers responsible threatened to publish 3.5 terabytes of stolen student and university data obtained during the breach.
Instructure has since confirmed it has "reached an agreement" with the hackers, who claim to have deleted the stolen data and pledged not to extort students or educational institutions further.
Paying cybercriminals contradicts the guidance of law enforcement agencies worldwide, as it may encourage additional attacks and does not guarantee the deletion of stolen data.
In previous incidents, cybercriminals have accepted ransom payments but falsely claimed to have destroyed stolen data, often retaining it for resale. For instance, after the National Crime Agency hacked the notorious LockBit ransomware group, authorities discovered that data remained undeleted despite ransom payments.
Instructure stated on its website that the protection of student and education staff data was its primary concern.
"While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said.
The company did not disclose the specific terms of the agreement but confirmed that it followed the discovery of the breach on 29 April, which was publicly claimed by the prolific extortion group Shiny Hunters.
Neither the hackers nor Instructure explicitly confirmed that money was exchanged; however, cyber extortion groups like Shiny Hunters typically demand ransom payments in bitcoin after negotiations conducted via encrypted chat services.
It is uncommon for victims of cyberattacks to publicly acknowledge paying hackers, but Instructure has maintained transparency by providing regular updates on its website. This openness may be due in part to the attack's high visibility and direct impact on students.
Students in the US, in particular, faced significant challenges, losing access to Canvas for exam revision and experiencing interruptions during online exams.
Student Impact and Exam Disruptions
Aubrey Palmer, a meteorology student at Mississippi State University, recounted to the BBC how they and other students had just completed a 2,900-word exam essay when a ransom message suddenly appeared on their screens.
The message read: "Shiny Hunters has breached Instructure (again)."
It threatened to release stolen data unless a ransom was paid in bitcoin by Canvas or the affected universities.
"My knee-jerk reaction was that I'd been hacked myself, because that's what it looked like," Palmer said. "But then I actually read the ransom note and saw it was Canvas that had been hacked."
Aubrey explained that their professor and dozens of students received the same message, causing confusion in the exam room regarding whether their work had been saved.
Mississippi State University later announced that some exams would be postponed to allow students to recover any lost work.
About Shiny Hunters
Shiny Hunters is a known cybercriminal group that hacks organizations, steals data, and publicly pressures victims to pay ransoms in bitcoin. The group has been linked to breaches involving companies such as Jaguar Land Rover and Gucci. The criminals are English-speaking and believed to be young individuals.
In Telegram messages exchanged with the BBC, Shiny Hunters claimed to have hacked Canvas twice before the attack on 29 April.
Instructure disclosed a breach in September 2025 via a blog post. Shiny Hunters also claimed responsibility for breaching the company again in April 2026, prior to the 29 April incident.
When asked about the stress and disruption caused to students like Aubrey Palmer, the group responded,
"We have no comment on that."
The group did not disclose the amount it was paid by Instructure.
