Canvas hack: company pays criminals to delete students' stolen data

Getty Images

The company behind the popular Canvas software, which was hacked last week causing major disruption at thousands of universities and colleges, has paid the hackers not to publish stolen data online.

The cyber-attack affected an estimated 9,000 institutions in the US, Canada, Australia and the UK, with exams disrupted after the Canvas service went down.

The hackers threatened to publish 3.5 terabytes of student and university data they had stolen in the breach.

Instructure, the maker of Canvas, has now confirmed it has "reached an agreement" with the hackers, who have said they deleted the data and promised not to extort any students or institutions.

Paying cyber criminals goes against the advice of law enforcement agencies around the world, as it can fuel further attacks and offers no guarantee the data has been deleted.

In previous cases, criminals have accepted ransom payments but lied about destroying stolen data, instead keeping it for resale.

For example, when the notorious LockBit ransomware group was hacked by the National Crime Agency, police found stolen data had not been deleted even after payments had been made.

Instructure said in a statement on its website that protecting students' and education staff data was its primary motivation.

"While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said.

Instructure did not set out the terms of the agreement but said that it meant that:

• the data was returned to the company
• it received "digital confirmation of data destruction"
• it had been informed that no Instructure customers would be extorted as a result of the incident
• the agreement covers all affected customers, with no need for individuals to engage with the hackers

The breach was discovered on 29th April and was claimed online by the prolific Shiny Hunters extortion group.

Neither the hackers nor the company are explicitly saying that money was exchanged, but cyber extortion groups like Shiny Hunters operate by forcing their victims to send money in bitcoin after a negotiation through an encrypted chat service.

It is unusual for victims of cyber attacks to publicly acknowledge paying hackers, but Instructure has maintained a high level of transparency, providing regular updates on its website.

That openness may be partly because the attack was highly visible and affected students directly.

Students sitting exams in the US were particularly badly affected, losing access to Canvas for revision and, in some cases, having online exams interrupted.

Aubrey Palmer, a meteorology student at Mississippi State University, told the BBC that they and other students had just finished writing a 2,900‑word exam essay when a ransom message suddenly appeared on their screens.

Courtesy of Aubrey Palmer

The note read: "Shiny Hunters has breached Instructure (again)."

It threatened to release stolen data unless a ransom was paid in bitcoin by Canvas or affected universities.

"My knee‑jerk reaction was that I'd been hacked myself, because that's what it looked like," Palmer said. "But then I actually read the ransom note and saw it was Canvas that had been hacked."

Aubrey said their professor and dozens of students received the same message, and there was confusion in the exam room about whether their work had been saved.

Mississippi State University later announced some exams would be postponed to allow students to recover any lost work.

Shiny Hunters is known for hacking organisations, stealing data and then publicly pressuring victims to pay ransoms in bitcoin.

The group has been linked to other breaches, including attacks on Jaguar Land Rover and Gucci. The criminals are English‑speaking and believed to be young.

In Telegram messages exchanged with the BBC, Shiny Hunters said it had hacked Canvas twice before last Thursday's attack.

Instructure disclosed a breach in September 2025 in a post on its blog.

Shiny Hunters has also claimed it breached the company again in April 2026, ahead of the 29 April attack.

When asked how it felt about the stress and disruption caused to students like Aubrey Palmer, the group said: "We have no comment on that."

It would not say how much it had been paid by Instructure.

• Have you been affected? Share your experiences here