Canvas owner Instructure has confirmed it paid hackers following the massive cyberattack that disrupted schools and universities during finals week and exposed concerns over potentially stolen student data.
The attack, claimed by the cybercrime group ShinyHunters, caused widespread outages across the Canvas learning management platform earlier this month, locking students and teachers out of coursework, assignments, lecture materials, and exams at thousands of institutions worldwide.
In a public statement, Instructure acknowledged that it entered negotiations with the attackers and ultimately paid the ransom demand in an effort to prevent the publication of stolen data. The company said the decision was made after consulting cybersecurity experts and law enforcement.
The company has not publicly disclosed how much money was paid or whether the attackers provided proof that the stolen data was deleted afterward.
The breach hit at one of the worst possible times for educational institutions, arriving during final exams and graduation season. Students across North America, Europe, Australia, and Asia reported being unable to access study materials, submit assignments, or complete assessments as schools temporarily disabled Canvas access during the incident.
Several universities delayed exams or extended deadlines after the outage disrupted coursework systems. Some institutions disconnected Canvas entirely from internal networks while investigating potential exposure of student and staff data.
ShinyHunters claimed the attack affected nearly 9,000 schools and exposed data tied to approximately 275 million users worldwide. According to the group, the stolen information included names, email addresses, student ID numbers, and billions of private messages exchanged through Canvas systems.
Instructure previously said there was no evidence that passwords, financial information, Social Security numbers, or government-issued identifiers were compromised. The company attributed the breach to issues involving “Free-For-Teacher” accounts connected to the platform.
During the incident, some users attempting to log into Canvas were reportedly redirected to ransom messages posted by ShinyHunters demanding negotiations before a leak deadline. The attackers threatened to publicly release stolen data if payment was not made.
The decision to pay the hackers is likely to trigger debate among cybersecurity experts and educators. Law enforcement agencies generally discourage ransom payments because they can encourage future attacks and provide no guarantee that stolen data will actually be destroyed.
Still, organizations facing large-scale extortion incidents often weigh the risk of sensitive information becoming public, particularly when millions of students, teachers, and staff may be affected.
The incident has become one of the largest known cyberattacks targeting the education sector and has renewed concerns about the growing dependence on centralized educational technology platforms. Security researchers warn that large learning management systems have become increasingly attractive targets because they store enormous amounts of sensitive personal and institutional data in one place.
Questions also remain about whether all stolen data was secured following the payment. Cybersecurity experts note that ransomware and extortion groups frequently retain copies of stolen information even after negotiations conclude, leaving victims exposed to future leaks or resale on underground forums.
Instructure said it continues working with forensic investigators and law enforcement agencies while monitoring for any signs that the stolen data may still surface online.