Instructure said it reached an agreement with the hacking group ShinyHunters to delete data stolen in a breach of its Canvas education platform, ending an extortion standoff that disrupted millions of students during finals week.
As evidence of the destruction, Instructure said it was provided what it described as "shred logs" — digital records confirming the data had been wiped. The company also said that neither it nor any of its customers would face further extortion demands, and that schools need not attempt any independent outreach to the attackers. Financial terms of the agreement were not disclosed.
"While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," Instructure said.
In a statement to TechCrunch, someone speaking on behalf of ShinyHunters confirmed the data was gone and said neither Instructure nor any of its customers would receive further demands or be targeted by the group. By Tuesday, the posting advertising the stolen data had disappeared from ShinyHunters' leak site, TechCrunch reported.
Instructure said the exposed records encompassed things like usernames, email addresses, enrollment details, course names, and internal messages, while course content, submitted work, and login credentials remained unaffected.
According to NBC News, ShinyHunters said it had obtained data on roughly 275 million individuals and warned that the files would be made public unless payment was received. After setting May 6 as its original payment cutoff, the group pushed the date back to May 12, a move it attributed to negotiations already underway with some institutions.
Instructure disclosed that it had actually been hit on two separate occasions. According to ShinyHunters, the first intrusion took place around May 1, with a ransom note surfacing publicly on May 3. When the company did not meet the payment demand, the attackers returned — this time altering the login pages of Canvas portals at institutions including Harvard, Princeton, Columbia, and Georgetown, along with school districts in more than a dozen states. Instructure said the two incidents involved different systems. The company temporarily shut down its Free-For-Teacher environment after identifying it as an entry point for the second attack.
According to Instructure, the Canvas platform supports over 8,000 institutions worldwide and counts more than 30 million active users. The platform returned to full operation after the second attack.
The FBI, which CNN reported had deployed personnel across multiple states to support affected institutions, publicly acknowledged the disruption targeting schools nationwide. The agency had previously urged victims not to pay ransoms.
In a message to customers, Instructure CEO Steve Daly owned the company's stumbles in keeping people informed during the crisis. "Many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that," he wrote.
Instructure announced plans to convene an online session featuring company executives, during which it would walk customers through what happened and outline measures being taken to improve the security of its infrastructure.