Canvas Parent Company Reaches Agreement With Hackers Behind Massive Breach
Instructure, the parent company of the widely used Canvas learning management platform, said it has reached an agreement with the hacking group behind the recent cyberattack targeting educational institutions during finals season and exposing data affecting schools and universities worldwide.
The company disclosed the latest development in an updated incident notice posted Monday, stating that it had “reached an agreement with the threat actor” and received “digital confirmation” that the stolen data had been deleted. The company also urged customers not to communicate directly with the attackers.
The breach, which has been linked to the cybercriminal group ShinyHunters, affected systems used by schools, colleges and universities for coursework, grading, assignments and student communications. Reuters reported that exposed data included names, email addresses and other school-related information connected to Canvas users. Instructure later said the unauthorized access exposed usernames, course names, enrollment data and messages, though the company maintained that course content, submissions and credentials were not compromised.
The company also disclosed that attackers exploited a vulnerability tied to support tickets within its Free for Teacher environment. “We temporarily disabled Free for Teacher while we complete a full security review,” the company said in the update. “We know that's disruptive, and we didn't make that call lightly. But keeping the entire Canvas platform secure has to come first.”
The timing of the attack amplified concern across the education sector because many institutions were in the middle of final exams and end-of-semester grading activity when disruptions occurred. The incident drew heightened attention as schools worked to determine whether sensitive student or faculty information had been compromised.
Instructure has not publicly disclosed financial terms tied to the agreement, but multiple reports indicated the company paid the hackers as part of the deal to secure the return and destruction of the stolen data. Cybernews and Inside Higher Ed both reported that the company made a payment connected to the breach, though Instructure has not publicly detailed the arrangement.
Additional reporting from the New York Times said the company chose to negotiate after the attackers claimed to possess large amounts of stolen data and threatened broader exposure of the information.
The incident has become one of the more high-profile cyberattacks affecting the education sector this year because of Canvas’ central role in academic operations at colleges and universities.
In its incident update, Instructure said it continues to work with third-party forensic experts and law enforcement agencies as the investigation remains ongoing. The company added that it is monitoring for any signs that the stolen information resurfaces online despite the agreement with the attackers.
The incident has also prompted government scrutiny. Reuters reported that the House Homeland Security Committee requested a briefing from company leadership regarding the breach and the company’s coordination with federal cybersecurity officials.
About the Author
Rodney Bosch
Editor-in-Chief/SecurityInfoWatch.com
Rodney Bosch is the Editor-in-Chief of SecurityInfoWatch.com. He has covered the security industry since 2006 for multiple major security publications. Reach him at [email protected].