Canvas admits it paid hackers after finals-week cyberattack – but is student data truly safe?

Published: 12 May 2026
Last updated: 13 May 2026
University of Florida campus
Phelan M. Ebenhack/The Orlando Sentinel/Tribune News Service via Getty Images

Canvas by Instructure now admits it paid the hackers behind the massive finals-week cyberattack that disrupted schools worldwide and sparked fears about what could happen to student data that may have been stolen.

Key takeaways:
  • Canvas now admits it paid hackers tied to the finals-week cyberattack and issued a public apology after days of disruption for schools, students, and educators.
  • The company says there is “no evidence” stolen data was retained or leaked, but questions remain over whether student information is truly safe.
  • The incident is fueling broader concerns over schools’ reliance on cloud-based platforms for exams, assignments, messaging, and student records.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The education technology giant, which powers coursework, grading, assignments, and communications for 9,000 schools, from kindergartens to universities, in more than 100 countries, confirmed Monday that it paid off the threat actor behind the April 29th attack, which was claimed by the ShinyHunters gang.

ADVERTISEMENT

According to Instructure, the hackers no longer have access to the Canvas platform.

The disclosure, alongside a public apology from Instructure CEO Steve Daly, came four days after widespread disruption and mounting frustration plagued students and teachers who were locked out of the e-learning platform during one of the busiest periods of the academic year.

Canvas ransomware attack
Students and faculty across North America reported being locked out of Canvas during finals week after an alleged ShinyHunters cyberattack disrupted the learning platform. Image by Cybernews.

CEO issues public apology after backlash

“I’ll start where I should: with an apology,” Daly wrote in a blog post on the company’s website Monday.

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn't deliver it,” Daly wrote in the letter addressed “To our Instructure community.”

Instructure apology
Instructure CEO Steve Daly issued a public apology after the Canvas outage disrupted exams, assignments, and coursework at thousands of schools worldwide. Image by Cybernews.

Daly also reiterated that the Canvas platform “is fully operational and remains safe to use,” adding that core learning data was not compromised, and vowed to “earn back” customer trust through “consistent action and honest communication.”

ADVERTISEMENT

“We'll give you clear guidance if any action is required on your end. Right now, there's nothing you need to do,” he said.

Directly underneath Daly’s blog post was a status update, also dated May 11th, detailing Instructure’s latest “agreement with the unauthorized actor involved in this incident.”

Canvas claims “confirmation of data destruction”

Notably, Instructure did not disclose how much of a ransom it paid to the unidentified threat actor, but did lay out what was promised to the company’s purported negotiators.

Instructure said the agreement included the return of stolen data, “digital confirmation of data destruction,” and assurances that no customers would be extorted publicly or otherwise as a result of the incident.

The company also said the agreement covers all impacted Instructure customers, meaning individual schools do not need to attempt to engage with the unauthorized actor themselves.

A representative for ShinyHunters, the group that claimed responsibility for the breach, said in a message to Reuters that the “data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us.” The representative declined to answer specific questions about the agreement.

ShinyHunters Canvas threats
ShinyHunters threatened to leak allegedly stolen Canvas data unless schools or Instructure negotiated before the group’s May 12th deadline. ShinyHunters victim posts. Image by Cybernews

The notorious ShinyHunters, which previously claimed ransomware negotiations had broken down with the Canvas parent company on May 7th, upped the ante and began targeting individual schools for a payout.

The group, taking control of the platform late Thursday, gave schools a revised deadline of May 12th before threatening to leak an alleged 3.65TB of stolen data – including several billion personal messages tied to more than 275 million students and faculty members.

ADVERTISEMENT

Meanwhile, thousands of students and faculty across multiple universities in the US and Canada began reporting seeing defaced login pages displaying the ShinyHunters ransom message on their computers, while being locked out of the platform altogether.

As news outlets and student newspapers began reporting the hack, school officials scrambled to contain the damage, which impacted thousands of students trying to study, hand in assignments, and take final exams during the last few weeks of the semester.

Questions still remain over student data exposure

Instructure revealed the hackers gained access to Canvas systems by exploiting a vulnerability related to its "Free-For-Teacher accounts,” a core part of the platform that has now been temporarily shut down.

“We also revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms,” the Salt Lake City-based education giant said.

Canvas, webpage in background
Universities across the US and Canada scrambled to respond as students reported outages during one of the busiest weeks of the academic year. CFOTO/Future Publishing via Getty Images

Instructure also claimed there is currently “no evidence” the stolen information has been publicly leaked or retained by the attackers following the payment agreement.

Still, cybersecurity experts have long warned that payments to extortion groups do not guarantee that stolen data is ever fully deleted or destroyed.

Students and parents are rightly worried about the private data falling into the wrong hands, especially as nearly 40% of K-12 school districts in the United States alone use the Canvas platform.

ADVERTISEMENT

“The education sector is uniquely vulnerable when it comes to data breaches not because of weak technology, but because of who the data belongs to,” said Muhammad Yahya Patel, Cybersecurity Advisor at Huntress.

School students online
Instructure says the breach stemmed from a vulnerability tied to Canvas’ “Free for Teacher” environment, which has since been temporarily disabled. Image by namaki | Shutterstock

“We're potentially talking about minors whose personal information, including names, email addresses, and student IDs, could now be in the hands of criminal actors. Unlike a credit card that can be canceled, a child's identity and educational record follow them,” Patel explained.

“The implications for identity theft, targeted social engineering, and even safeguarding are serious and long-lasting,” he added.

The FBI Cyber Division has also provided guidance to victims of the attack, putting out a public service announcement Friday. "If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands," the FBI warned.

Meanwhile, Intstructure says the compromised information included usernames, email addresses, course names, enrollment information, and private messages exchanged on the platform.

Canvas said passwords, Social Security numbers, financial information, grades, coursework submissions, and student files were not exposed.

The attack also renewed broader concerns over how heavily schools now depend on centralized cloud-based platforms for exams, assignments, grading, messaging, and student records.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

"Universities are treasure troves of sensitive data, and ransomware actors know it. At the same time, the openness that defines higher education can make these institutions more exposed than many other organizations,” said Cynthia Kaiser, SVP of the Halcyon Ransomware Research Center.

“Ransomware remains one of the highest cyber threats facing higher education, and Halcyon tracked over 250 ransomware attacks on educational institutions worldwide across the full calendar year of 2025,” Kaiser noted.

Instructure said it is taking additional steps to harden systems and will provide another update in 48 hours. Any individual or school that was compromised in the attack will be notified accordingly, as the investigation is ongoing, it said.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT