Canvas pays hackers to erase stolen student data after breach
The company behind Canvas has confirmed it has “reached an agreement” with hackers who disrupted thousands of colleges and universities by stealing student and university data. Canvas pays hackers to prevent the publication of stolen information following a major cyber-attack that affected an estimated 9,000 institutions across the US, Canada, Australia, and the UK.
Details of the cyber-attack and its impact
The breach was discovered in late April and was claimed online by the extortion group known as Shiny Hunters. The hackers threatened to release 3.5 terabytes of stolen data unless a ransom was paid. The attack caused significant disruption, including the loss of access to Canvas services during exams, affecting students’ ability to revise and complete assessments.
One student at Mississippi State University described how a ransom message appeared during an exam, causing confusion and concern about whether their work had been saved. The university later postponed some exams to allow students to recover lost work.
Agreement with hackers and company response
Instructure, the maker of Canvas, stated that the agreement with the hackers involved the deletion of the stolen data and a promise not to extort students or institutions further. While the company did not disclose specific terms, it emphasized that protecting student and staff data was its primary motivation.
Although neither the hackers nor Instructure explicitly confirmed a ransom payment, groups like Shiny Hunters typically demand bitcoin payments through encrypted channels. Paying cyber criminals is generally discouraged by law enforcement, as it can encourage further attacks and does not guarantee data deletion. Past incidents have shown that criminals may accept payments without destroying stolen data.
Instructure has maintained transparency by providing regular updates on its website, likely due to the high visibility of the attack and its direct impact on students.
Background on the Shiny Hunters group
Shiny Hunters is known for hacking organizations, stealing data, and pressuring victims to pay ransoms in bitcoin. The group has been linked to previous breaches involving companies such as Jaguar Land Rover and Gucci. They are English-speaking and believed to be young.
In communications with the BBC, Shiny Hunters claimed to have hacked Canvas twice before the recent attack. Instructure had disclosed a breach in September 2025 and another claimed by the group in April 2026.
When asked about the disruption caused to students, the group declined to comment and did not reveal how much it was paid by Instructure.
