Instructure, owner of the Canvas learning management platform, says it has reached an agreement with the ShinyHunters hacking group to recover stolen student data following a breach last week.
The ShinyHunters group claimed responsibility for breaching Canvas systems and threatened to publish 3.5 terabytes of student data unless ransom demands were met. Instructure confirmed the stolen data has been returned as part of the agreement.
The attack forced Canvas offline briefly before the company restored service. ShinyHunters, a known cybercriminal group, had publicly threatened to leak the data online if their "settlement" demands were not satisfied.
Details about the financial terms of the agreement remain undisclosed. Instructure has not specified what information was accessed during the breach or how many students were affected.
Canvas serves millions of students and educators across K-12 schools and higher education institutions globally. The platform hosts course materials, assignments, grades, and other sensitive academic information.
This incident adds to a growing list of education sector breaches targeting learning management systems. Schools and universities increasingly face sophisticated cyberattacks aimed at obtaining personal and financial data of students and staff.
Instructure has not released a full security report detailing how the breach occurred or what preventive measures will be implemented. The company typically provides incident reports to affected institutions and users, though timelines vary.
The agreement with ShinyHunters does not guarantee the data will not be sold or leaked through other channels. Cybersecurity experts note that such agreements with criminal groups offer limited assurance, as stolen data can be copied and distributed despite promises of deletion.
Federal prosecutors have unsealed a 2024 indictment charging three Russian nationals and two web hosting services with facilitating cyberattacks and money laundering that victimized cybercrime targets of $62 million.
A hacker accessed Suno's source code using stolen employee credentials, revealing that the AI music generator scraped decades of audio from YouTube to train its model.
Criminals can now clone voices with AI in mere seconds, outpacing traditional authentication defenses that banks and financial institutions rely on to prevent fraud.
Five malicious versions of AsyncAPI packages were published to npm, delivering a remote access trojan capable of stealing credentials and sensitive data from developer systems.