Instructure Pays ShinyHunters to Prevent 3.6TB Canvas Data Leak
Instructure, the company behind Canvas LMS — used by over 30 million educators and students across more than 8,000 institutions worldwide — has confirmed it reached a financial agreement with the ShinyHunters extortion group to prevent the release of stolen data from a recent breach.
The company stated that ShinyHunters returned the stolen data and provided shred logs confirming its destruction. Instructure said the agreement covers all impacted customers and that no individual institutions will be extorted as a result.
ShinyHunters claimed responsibility for the attack, reporting they exfiltrated more than 3.6TB of uncompressed data. The initial intrusion exploited a security flaw in the Free-for-Teacher environment, a free limited version of Canvas LMS available to individual educators. The group then re-exploited the same vulnerability on May 7 to deface Canvas login portals across multiple institutions, posting extortion messages that set a May 12 deadline for ransom negotiations.
The attack chain leveraged multiple cross-site scripting (XSS) vulnerabilities in Canvas. ShinyHunters injected malicious JavaScript through user-generated content features, allowing them to steal authenticated admin sessions and perform privileged actions across tenant environments.
Instructure has since restored Canvas to full operation, temporarily shut down Free-for-Teacher accounts, and stated it is working to remediate the underlying vulnerabilities. The company plans to share additional details in a May 13 webinar.
This marks Instructure's second breach attributed to ShinyHunters in under a year. In September 2025, the group accessed data through Instructure's Salesforce instance. ShinyHunters has been on a prolific run, with recent claims including breaches of Google, Cisco, the European Commission, Match Group, ADT, McGraw-Hill, and Medtronic.
As the FBI has repeatedly warned, paying a ransom provides no guarantee that threat actors will not sell stolen data to other parties or return for a second extortion attempt.
What Defenders Should Do:
Organizations running Canvas LMS should audit their environments for unauthorized administrative activity, review integration configurations, and monitor for any signs of session hijacking or injected scripts. Institutions relying on Free-for-Teacher instances should assume exposure until Instructure provides a full scope of impact. Security teams should also review any Salesforce integrations connected to Instructure products given the prior breach. More broadly, this incident reinforces the risk of XSS vulnerabilities in multi-tenant SaaS platforms — input validation and content security policies remain critical controls.
