In a surprising development, Instructure, the company behind the widely used Canvas learning management software, has reportedly agreed to pay a ransom demanded by the cybercriminal group known as ShinyHunters. The American educational technology company took the decision in an effort to prevent nearly 3.45TB of allegedly stolen data from being leaked on underground breach forums.
The Utah-based firm recently released a public statement acknowledging the cyber incident and confirmed that it was in discussions aimed at stopping the hackers from distributing or selling the compromised information online. Although the company did not reveal the exact amount being paid, sources familiar with the matter claim the negotiations were initiated after the attackers threatened to publish sensitive institutional data if their demands were not met before the deadline.
Canvas, one of the most popular school management and online learning platforms in the United States, is used by thousands of schools, colleges, and universities worldwide. The cyberattack reportedly caused significant disruption across educational institutions, particularly during the first week of May when several students were unable to appear for their final examinations due to system outages and accessibility issues linked to the breach.
Last week, Instructure announced that it had successfully restored most of its affected services and resumed normal operations for nearly 9,000 impacted schools. The company stated that its technical teams worked around the clock to stabilize the platform and minimize disruption to students and educators who rely heavily on Canvas for academic activities, assignments, and examinations.
According to information circulating on Telegram channels associated with cybercrime monitoring groups, Instructure may have been targeted in two separate cyber incidents. Reports suggest the company managed to recover quickly from the initial attack. However, the second and more severe intrusion allegedly allowed attackers unauthorized access to the network systems of more than 330 educational institutions connected to the Canvas Software ecosystem.
The same reports indicate that the attackers issued an ultimatum demanding undisclosed payment by May 12, 2026, threatening to publicly release the stolen data if negotiations failed. Cybersecurity experts believe the leaked information could include student records, institutional documents, login credentials, and other sensitive educational data.
Interestingly, the company’s reported decision to pay the ransom coincides with Anti-Ransomware Day, observed globally on May 12 each year to raise awareness about the growing threat of ransomware attacks. Law enforcement agencies, including the FBI, have consistently advised organizations not to pay ransom demands, arguing that such payments encourage further criminal activity.
Security experts also warn that paying a ransom does not guarantee safety. In many double-extortion attacks, cybercriminals often retain copies of stolen data even after receiving payment, leaving victims vulnerable to future leaks, resale of information, or additional extortion attempts. The incident once again highlights the increasing cybersecurity risks facing the education sector, which has become a major target for ransomware gangs in recent years.
Note- ShinyHunters is known to demand a sum of over $5 million on an average and all depends on the targeted organizations and the negotiations that are conducted after.
Â
Join our LinkedIn group Information Security Community!
