We continue to find updates on the ongoing issues over at Instructure, the company that provides Canvas, the educational tool that over 8,000 schools use to give out their course work and communicate with their students.
Since today is May 12th, today was going to be the day of negotiations, and that apparently has happened.
Here are the first three paragraphs of this article.
Instructure, the edtech giant behind the widely popular Canvas learning management system (LMS), has reached an “agreement” with the ShinyHunters extortion group to prevent the data stolen in a recent breach from being leaked online.
Instructure, while that’s a great idea, if indeed a ransom was paid, that fules them to continue this work. But … what you may not know, is that the leaked data had already been put online in some form on their leak site to get you to make a payment arrangement, if that is indeed the path taken.
The company says over 30 million educators and students use its Canvas platform across more than 8,000 schools and universities worldwide.
In a Tuesday statement, Instructure said the cybercrime gang also returned the stolen data (which includes usernames, email addresses, course names, enrollment information, and messages) and provided shred logs confirming its destruction.
This paragraph is not making any sense. How can you “return the data?” Shredding is not the same as it is in paper form. The fact that shred logs were given to you does not mean that it was actually done. They already started the process of putting your data out there, even if it was on their leak site.
“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise. This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”
I’m sorry, Instructure, but this is not necessarily the case, but I hope it is for your sake. You may want to search out this type of thing and see how true this is, because I’ve personally been reading things like this paragraph and then read later that data belonging to you as an example would be leaked elsewhere, by someone else, or even another group trying to capitalize on the aforementioned breach.
While your PR was beautifully executed and should be commended, we’ll find out for sure if Shiny Hunters will live to their “supposed” end of the agreement between you and them.
If Instructure should read something from the Bleeping article or this analysis, it is this paragraph.
ShinyHunters has now removed the Instructure entry from its data leak site, which usually happens after victims pay a ransom. However, as the FBI has repeatedly warned, paying a ransom does not guarantee that threat actors will not also sell the stolen data to other cybercriminals or attempt to extort the victims again.
The sentence,
However, as the FBI has repeatedly warned, paying a ransom does not guarantee that threat actors will not also sell the stolen data to other cybercriminals or attempt to extort the victims again.
This is the most important that you should read. Its something to at least keep in mind and monitor what’s going on … especially for awhile after your agreement was “inked” and the data was “deleted.”
Instructure will be sharing what they learned, in a webinar on Wednesday. That paragraph says:
Instructure added today that its leadership will share more information regarding the incident and the measures it has taken to secure its systems against future breach attempts in a May 13 webinar.
This is great PR, and the fact that a webinar on what was learned, how you’re going to protect data, how you’ve learned what happened and how you’ll try to do better are all great steps. Companies, take notice.
We do know that the “free for teachers” platform is still down and will be analyzed to make sure that things can be brought up again in a better form than it was when this happened.
The article continues:
Instructure confirmed to BleepingComputer that ShinyHunters exploited a security issue in the Free-for-Teacher environment, a free, limited version of Canvas LMS for individual educators, to steal the data.
We also heard there were XSS attacks, so I don’t know what to say.
The cybercrime group also hacked Instructure again on May 7, using the same vulnerability as in the initial intrusion, to deface Canvas login portals and leave an extortion message, warning that the company and its customers had until May 12 to enter negotiations to pay a ransom.
The company apparently entered negotiations and settled, but this could turn bad now. As TSB’s SMS group said, now they’ve opened themselves for more potential attacks and headaches.
I completely understand a company position. You can decide not to pay, the ransomware group can extort you again, leak your stuff, and cause you reputable harm. You pay, the extortion group indicates they won’t do anything with you again, then extorts you again … sells your data even though they deleted it for what they said … or of course, maybe both.
ShinyHunters injected malicious JavaScript to exploit Canvas XSS flaws in user-generated content features, which allowed them to obtain authenticated admin sessions and perform privileged actions.
Of course, so unless you can verify that the code is completely gone from the network, there could still be traces of it. Including copies of the pages through sites like archive, although it probably won’t be the case, since some of these things are through portals which aren’t archived by that site.
Apparently, this is not the first time for Instructure. Two in a matter of time, and then there’s this paragraph.
In September 2025, Instructure disclosed another breach, also claimed by ShinyHunters, that allowed attackers to access data in the edtech giant’s Salesforce instance.
How much did you apparently have to pay that time, Instructure?
The final paragraph names some of the companies in which Shiny Hunters have been supposedly involved in.
Name any of the companies from the following paragraph that might be of familiarity to you. Some may have been covered on the blog, a few are links within Bleeping itself, and others may not be. That paragraph says:
Other breaches recently claimed by ShinyHunters include Google, Cisco, PornHub, the European Commission, online dating giant Match Group, Rockstar Games, home security giant ADT, video service Vimeo, edtech giant McGraw-Hill, medical device maker Medtronic, and Spanish fast-fashion retailer Zara.
The full article this time is titled Instructure reaches ‘agreement’ with ShinyHunters to stop data leak if you’d like to read it in full.
There will be a special TSB taping on Wednesday where we’ll take apart what we’ve learned, tie it to PowerSchool and other breaches, and ask the real question on whether anything has been learned yet.
The podcast should be released later on in the evening, and the show notes will have coverage from around the web. We will not be linking to the Tech Blog’s articles, only to the original source coverage.
The blog awaits your comments. Have a great day!
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.