\n<\/p>\n
Instructure, the maker of the popular school information portal Canvas, said on Tuesday it has \u201creached an agreement\u201d with the hackers who breached its systems twice, stole a huge amount of student and staff data, and disrupted thousands of schools that rely on the company\u2019s software.<\/p>\n
ShinyHunters, a financially motivated cybercrime group, took credit for the April 29 data breach, claiming to have stolen student and staff data, including the personal information, of a total 275 million people. The hackers said they had compromised Canvas, which nearly 9,000 schools use to manage their students\u2019 data and coursework.<\/p>\n
The hackers last week breached the company for a second time, defacing the Canvas login pages on school websites<\/a>, as part of efforts to pressure the company into paying their ransom.<\/p>\n Instructure said on its incident page<\/a> late on Monday that as part of the agreement, the hackers had provided evidence that the stolen data was destroyed, and that Canvas customers would not be extorted.\u00a0<\/p>\n The company acknowledged that there is \u201cnever complete certainty\u201d when negotiating with cybercriminals, but noted that customers should not have to engage with the hackers.<\/p>\n Financial terms of the agreement were not disclosed, and Instructure did not say how much it paid the hackers. Instructure spokesperson Brian Watkins did not respond to a request for comment, or answer questions about the agreement when contacted on Tuesday.<\/p>\n In a post on its leak site, which TechCrunch has seen, ShinyHunters was threatening to publish the stolen data it stole from Instructure if the company did not pay their extortion demand.\u00a0<\/p>\n As of Tuesday, the listing had been removed from the ShinyHunters\u2019 page, indicating that a ransom may have been paid.<\/p>\n A representative from ShinyHunters told TechCrunch: \u201cThe data is deleted, gone. The company and it\u2019s [sic] customers will not further be targeted or contacted for payment by us.\u201d<\/p>\n It\u2019s not clear why Instructure paid the hackers. Governments, including the United States, have long urged<\/a> victims of cybercrime not to pay ransoms to hackers, as this helps cybercriminals profit from their attacks. Security researchers have argued that victims cannot trust the word of malicious hackers<\/a> \u2014 some cybercriminals have been found holding on to stolen data<\/a> despite saying they had deleted it so they could continue extorting their victims.<\/p>\n The hack on Instructure mirrors a cyberattack on PowerSchool, which was hit by a massive data breach<\/a> affecting 70 million students and staff in 2024. PowerSchool, which also makes school information software, paid the hackers<\/a> to return the stolen data, but several of its customers were later extorted by another crime group<\/a> that showed data from the breach that had not been destroyed.<\/p>\n The FBI said in a statement<\/a> last week that it was \u201caware\u201d of the system disruption affecting schools and educational institutions around the United States. The notice did not name Canvas, but it did mention that victims should \u201cnot send payment or respond\u201d to the demands of cybercriminals.<\/p>\n The data stolen from Instructure, some of which TechCrunch has seen, includes students\u2019 names, their personal email addresses, and messages exchanged by teachers and students, including private and personal information.<\/p>\n On its website, Instructure acknowledged that hackers had breached the company\u2019s systems twice in under a year, but said that the two breaches were \u201cdistinct events\u201d that involved different systems.\u00a0<\/p>\n Instructure said it was still investigating the breach and validating its findings.<\/p>\n It\u2019s not clear who at Instructure oversees or is responsible for cybersecurity, if not the company\u2019s chief executive, Steve Daly. When contacted by TechCrunch, Instructure would not say if Daly plans to resign following the data breaches.<\/p>\n Are you a Canvas administrator or school notified about the breach? Have you received an extortion demand from the hackers? We want to hear from you. To contact this reporter securely, reach out via Signal username <\/em>zackwhittaker.1337<\/em><\/a>.<\/em><\/p>\n<\/div>\n When you purchase through links in our articles, we may earn a small commission<\/a>. This doesn\u2019t affect our editorial independence.<\/em><\/p>\n