Instructure, the U.S company at the centre of a major cyberattack involving learning management system Canvas, has published an update to its website saying it has reached a deal with ‘ShinyHunters’ – the hackers responsible for the breach.
The cyberattack, which took place on 30 April 2026 but was revealed on 6 May 2026, impacted more than 9,000 educational institutions worldwide, including tens of thousands of students and staff across Australia.
The breach involved the theft of names, email addresses, student ID numbers, and private messages sent through Canvas, but there is still no evidence that passwords, dates of birth, financial information, or government identifiers were compromised.
In a statement posted on the Instructure’s website, chief executive Steve Daly said the company had “reached an agreement with the unauthorized actor involved in this incident.”
As part of that agreement, the data was returned to us [and we have] received digital confirmation of data destruction [shred logs],” he said.
“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”
Daly said the agreement “covers all impacted Instructure customers”, adding that “there is no need for individual customers to attempt to engage with the unauthorized actor.”
“We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved,” Daly said.
“As our investigation draws closer to a conclusion, we also intend to share additional details about the root cause and lessons learned, with the goal of helping the broader education technology community better understand and defend against similar threats.”
Daly said Instructure will continue to provide updates as that work progresses.
In the wake of the cyber breach, Instructure’s leadership aims to hold a webinar today across multiple timezones that will detail information about the cyber attack and the company’s activities to “harden” the system.