Instructure has confirmed it reached an agreement with the hacking group ShinyHunters after attackers twice breached its widely used Canvas education platform, disrupting institutions across several countries and exposing sensitive student data.

The company said the arrangement was made to prevent the publication of stolen information following days of pressure from the attackers, who publicly threatened to leak the material online.

Canvas is used by thousands of educational institutions in the United States, Canada, Australia and the United Kingdom. The incidents disrupted studies, forced some exams to be postponed and raised concerns among schools and universities over the security of student records and internal communications.

ShinyHunters claimed it stole more than 3.5 terabytes of data during the attacks. According to the information disclosed, the material included names, email addresses, student identification numbers and messages exchanged between teachers and students.

Instructure said the hackers agreed to return the data, provide proof that their copies had been destroyed and refrain from attempting to extort customers connected to the platform.

In a statement published on its incident update page, the company acknowledged ongoing concerns among users and institutions affected by the breach.

“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers,” the company said.

“We understand how unsettling situations like this can be, and protecting our community remains our top priority.”

The company added that, “with that responsibility in mind,” it had reached an agreement with the unauthorised actor involved in the incident.

Instructure first disclosed the breach on 29 April 2026, saying it had detected unauthorised activity inside Canvas and had revoked third-party access while an investigation was launched with outside forensic experts.

The situation escalated on 7 May when the Canvas login page itself was altered to display a message attributed to ShinyHunters.

“ShinyHunters has breached Instructure (again),” the message read. “Instead of contacting us to resolve it, they ignored us and did some ‘security patches’.”

The group also imposed a deadline of 12 May, warning that “everything is leaked” if no agreement was reached.

Instructure later linked the second incident to the earlier breach and temporarily took Canvas offline as a precaution while additional safeguards were applied.

The company said the attackers exploited an issue connected to its Free-For-Teacher accounts, describing it as the same weakness involved in the earlier unauthorised access.

“As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts,” the company said.