The maker of Canvas, the software used by thousands of schools and universities around the world, said on Monday that it had reached a deal with the hackers that recently breached its systems for the return of stolen data and the destruction of any copies.
ShinyHunters, a hacking group, had claimed responsibility for the attack on Instructure, the Salt Lake City-based company that provides Canvas to about half of all colleges and universities in North America.
The hackers said they had accessed the data of more than 275 million users at nearly 9,000 schools worldwide, including private conversations between students and teachers as well as personal identifying information such as names and email addresses. Canvas was shut down for hours after the cyberattack on Thursday.
The agreement, Instructure said in a statement, involved the return of the stolen data and confirmation that the data had been destroyed at the hackers’ end. Instructure added that it had been informed that none of its customers would face extortion as a result of the theft.
“While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company said.
Instructure did not say what it had given the hackers in exchange for the return of the data. The company did not immediately respond to questions about the deal.
Canvas has more than 30 million active users around the world, according to Instructure. The platform is used by teachers and students for coursework management and communications. Instructure said the data compromised in the hack included usernames, email addresses, course names, enrollment information and messages.
ShinyHunters on Thursday claimed the attack in a message that appeared on students’ Canvas pages and was obtained by The New York Times. The group warned that it would leak an unspecified amount of data Tuesday if it did not receive a response from Instructure. In its May 3 ransom note, the group had threatened to leak “several billions of private messages among students and teachers.”
Not much is known about ShinyHunters, which is believed to have been formed around 2020. Its goal appears to be to obtain personal records and sell them. One of its high-profile attacks was against Ticketmaster in 2024, when the hackers said they had stolen the user information of more than 500 million customers.
Instructure said it first detected unauthorised activity in Canvas on April 29, and again on May 7. The company said it took Canvas offline to investigate the breach, and also informed the FBI, the US Cybersecurity and Infrastructure Security Agency and other international law enforcement partners.
Instructure did not immediately respond to questions about whether any law enforcement agencies were involved in its dealings with the hackers. The FBI advises against paying ransom to hackers, saying it does not guarantee data security and encourages attackers to target more victims. – ©2026 The New York Times Company
This article originally appeared in The New York Times.
