**Instructure** has admitted to paying a ransom to a decentralized cybercrime extortion group following a breach of its network. The company, known for its **Canvas** learning management system, made this announcement after the attackers threatened to leak stolen data from thousands of schools and universities. ### Ransom Payment Confirmed In a statement released on Monday, the Utah-based company stated it "reached an agreement with the unauthorized actor involved in this incident," citing concerns over potential data publication. The decision to pay the ransom, a controversial move, was made to avoid a leak, with the agreement covering all impacted customers. **Instructure** claims the stolen data was returned and digitally confirmed as destroyed. The company also stated they were informed that no customers would be separately extorted as a result of the hack. "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," **Instructure** stated. ### Forensic Analysis and Security Improvements The company is collaborating with expert vendors to support forensic analysis, enhance its cybersecurity defenses, and conduct a thorough review of the compromised data. ### ShinyHunters Claim Responsibility The breach stems from an attack by the **ShinyHunters** extortion group, who targeted **Canvas** last month, leading to the theft of 3.65TB of data. This incident affected nearly 9,000 organizations. Although the breach was initially believed to be contained, a second wave of unauthorized activity occurred on May 7, 2026, defacing **Canvas** login portals at around 330 institutions with extortion messages, setting a deadline of May 12, 2026, for **Instructure** to negotiate. ### Vulnerability Exploitation The attackers reportedly exploited an unspecified vulnerability related to support tickets within the Free-for-Teacher environment to gain initial access. This allowed them to siphon approximately 275 million records containing usernames, email addresses, course names, enrollment information, and messages. **Instructure** emphasizes that course content, submissions, and credentials were not compromised. ### Remediation Steps Following the breach, **Instructure** temporarily shut down Free-For-Teacher accounts. While the company has not disclosed the specific nature of the vulnerability, it has revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and implemented additional security controls. ### Phishing Risk "The exfiltrated data provides threat actors enough personal context to conduct targeted phishing campaigns against staff, students, and parents alike," **Halcyon** warned. "Leaked records can be used to impersonate school administrators, IT support, or financial aid offices in follow-on attacks. Students, parents, and personnel at affected institutions should be considered, and institutions should issue phishing advisories and direct communications immediately."