What happened
Instructure, the company behind the Canvas learning platform, says it reached an agreement with hackers who disrupted thousands of colleges and universities after stealing student and institutional data. The incident affected an estimated 9,000 institutions across the United States, Canada, Australia and the UK, turning a software outage into a broader data-security crisis for schools that depend on Canvas during high-pressure academic periods.
The company said the agreement was intended to prevent the publication of stolen information and stop further extortion of students and institutions. It did not disclose the terms, but the development strongly suggests a deal was reached after the attackers threatened to release a large volume of data online.
How the breach affected schools and students
The breach was discovered in late April and was claimed by the extortion group Shiny Hunters, which said it had taken 3.5 terabytes of data. The attack also caused direct disruption to campus life. Students lost access to Canvas during exam periods, raising concern about whether coursework, assessments and revision materials would still be available when needed.
One student at Mississippi State University said a ransom message appeared during an exam, creating confusion over whether work had been saved. The university later postponed some exams so students could recover lost work. That kind of disruption illustrates how attacks on education technology now threaten both data privacy and the day-to-day functioning of academic institutions.
What is known about the attackers
Shiny Hunters has been linked to data theft and extortion campaigns against a range of organizations, including well-known consumer and luxury brands. The group typically seeks payment in bitcoin and uses encrypted channels to negotiate. Instructure said the data would be deleted and that students and institutions would not face further extortion, but law-enforcement guidance has long warned that paying cyber criminals does not guarantee stolen information is truly destroyed.
In communications with the BBC, the group claimed it had targeted Canvas before. Instructure previously disclosed a breach in September 2025, and another incident was reportedly claimed in April 2026. The company has continued to publish updates, a sign of how visible the incident became once universities began dealing with outages and student complaints.