Today, 12 May 2026, the deadline ShinyHunters set for Instructure to pay or see data from 275 million students and staff leaked has expired. The outcome was not what many expected: Instructure has announced an agreement with the attackers to prevent data publication. The Register, covering the case in real time, interprets the CEO’s statement as an implicit confirmation of a ransom payment. Simultaneously, the company revealed there were not one but two separate security incidents, both linked to the same vulnerability in its free teacher accounts. We published the first analysis on 7 May. Today, with the ultimatum closed and new revelations confirmed, we complete the picture.

What has happened in the last few hours?

Hours before the deadline expired, Instructure CEO Steve Daly published a blog update containing the sentence that has drawn all attention: “We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.” The deliberately ambiguous statement is as close to a ransom payment confirmation as a company can come without explicitly admitting it. The Register and Cyber Daily interpret it unambiguously as payment.

Facts confirmed as of today:

  • Canvas is fully operational since 11 May. Instructure confirmed “All Canvas environments are available” at 10:21 UTC on 11 May.
  • Instructure confirmed two separate breaches: first detected 29 April 2026, second identified 7 May 2026, both linked to the same vulnerability.
  • Confirmed vector: vulnerability in Canvas’s Free-for-Teacher account programme.
  • ShinyHunters defaced ~330 university login portals on 7 May before Instructure took Canvas into maintenance mode.
  • This is ShinyHunters’ third breach of Instructure in under a year (prior: Instructure’s Salesforce environment, September 2025).
  • Data confirmed compromised by Instructure: usernames, email addresses and student IDs. ShinyHunters claims to have stolen 3.65 TB comprising ~275 million records from ~8,800 institutions, including private messages.

Two confirmed breaches: more serious than initially disclosed

The confirmation of two separate incidents changes the case narrative. When Instructure made its first statement on 1 May, it presented the incident as contained. The reality was different:

  • First breach (29 April): Instructure detected unauthorised activity in Canvas, revoked the intruder’s access and launched an investigation. At that point the company indicated no evidence that passwords, dates of birth, government identifiers or financial information had been compromised.
  • Second breach (7 May): Instructure identified additional unauthorised activity linked to the same incident. This second intrusion caused Canvas to go down and triggered the mass portal defacement. Between the two intrusions, ShinyHunters had time to exfiltrate the bulk of the data and plan the escalation.

Instructure’s initial framing as a single contained incident did not reflect the attacker’s operational reality. This communication management will face regulatory and reputational scrutiny in the months ahead.

The Free-for-Teacher vector: the weak link no one was watching

The most important technical revelation today is the confirmed entry vector: a vulnerability in Canvas’s Free-for-Teacher programme, which allows any teacher to register a free account to explore the platform without being affiliated with an institution. Three factors make this vector significant:

  1. Access outside the institutional perimeter. Free-for-Teacher accounts are not tied to any institution’s security controls (SSO, corporate MFA, access policies). Anyone can create one, making them an entry point with minimal oversight.
  2. Invisible to university security teams. Institution CISOs and IT teams have no visibility over Free-for-Teacher accounts. The attack vector was a surface that institutional defenders could not monitor.
  3. Access to the underlying infrastructure. The vulnerability in this peripheral programme gave ShinyHunters access to Canvas’s core infrastructure, from which the data of ~8,800 client institutions was reached. A flaw in a peripheral service compromising the core.

The technical lesson is direct: freemium or trial access programmes within critical SaaS platforms can be the least protected vector in the entire ecosystem. When the attack surface is open access, the risk to all platform customers is proportional to the lowest security denominator of that programme.

Instructure paid the ransom: what we know and what it means

CEO Steve Daly’s statement is deliberately opaque: “we have taken every step within our control to give customers additional peace of mind” and “we have been informed that no Instructure customers will be extorted.” The Register, Cyber Daily and multiple security analysts interpret this as standard corporate language confirming a ransom payment. The Register adds: “it looks like that’s what happened here.”

If the payment is confirmed, it has four direct implications:

  1. It does not guarantee data destruction. ShinyHunters can retain copies, sell them on private markets or use them in future operations. The “no public extortion” agreement does not equal no data leakage through other channels.
  2. It does not exempt from GDPR obligations. Paying a ransom does not suspend the duty to notify supervisory authorities or data subjects. Institutions using Canvas must assess with their DPO whether they are obliged to notify students and staff of the breach.
  3. It makes Instructure a repeat target. This is the third breach in under a year. Criminal groups share information about victims who pay. The signal to attackers is unambiguous.
  4. It opens an ethical and regulatory debate. Authorities (FBI, EUROPOL, CCN-CERT in Spain) do not recommend payment. But when the platform is the educational infrastructure of 9,000 institutions during final exams, the pressure to resolve the incident quickly is immense. The case illustrates the real tension between regulatory guidance and operational reality.

Key lessons for Spanish universities and educational institutions

Immediate actions:

  • Rotate all Canvas API keys, OAuth tokens and SSO credentials. Regardless of Instructure’s “agreement”, credentials exposed across either breach must be treated as potentially compromised.
  • Issue phishing advisories to students and staff. With names, emails and student IDs exposed, attackers have ample material for highly targeted campaigns impersonating the institution, IT support or academic administration.
  • Audit Free-for-Teacher accounts linked to your institutional domain in Canvas and check for any unusual activity.

Regulatory:

  • Assess with your DPO whether notification to data subjects is required (students, staff, personnel). Instructure’s agreement with ShinyHunters does not exempt each institution from conducting its own risk assessment under Arts. 33 and 34 GDPR.
  • Document your analysis and decision. If the AEPD investigates the incident in the future, documented due diligence is key to demonstrating proactive compliance.

Strategic:

  • Review the level of due diligence applied to Instructure as a critical vendor. Three breaches in under a year is a vendor risk signal that should be documented and reflected in contract renewal.
  • Update your educational continuity plan to address how a prolonged Canvas outage during final exams or critical deadlines would be managed.

Cybersecurity as a strategic priority

The Canvas-Instructure-ShinyHunters case closes today with more questions than answers. How much was paid? Have the data truly been destroyed? How many universities negotiated separately? Will ShinyHunters return with the same data in another campaign?

What is clear is that higher education has a new red line: critical SaaS providers managing educational infrastructure are first-tier extortion targets. And when a single platform concentrates 9,000 institutions and 275 million users, the risk of a single point of failure can no longer remain invisible in university risk management frameworks.

Apolo Cybersecurity: managing critical SaaS provider risk in education

At Apolo Cybersecurity we help universities and educational institutions assess and manage the risk of their critical SaaS providers: contract and audit rights analysis, vendor security posture assessment, compromised credential detection, incident response plans integrating GDPR timelines, and support communicating with the AEPD and affected individuals.

If your institution uses Canvas and is uncertain about the implications of this double breach for your regulatory obligations, now is the time to verify.

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Responsable: Apolo Analytics S.L.
Finalidad: Responder a tu mensaje y almacenaje en base de datos para gestionar tu solicitud.
Legitimación: Consentimiento del interesado al enviar el formulario.
Destinatarios: No se cederán datos a terceros, salvo obligación legal.
Derechos: Puedes ejercer tus derechos de acceso, rectificación y supresión, entre otros, enviando un correo a secretaria@apolocybersecurity.Com.
Información adicional: Puedes consultar la información completa en nuestra Política de Privacidad.

¡Gracias !

Su mensaje a sido recibido correctamente.
Oops! Algo a ido mal a la jora de enviar el formulario.
te esperamos!
Schedule a call
Project photo
Send us an email
Project photo
+34 937948378
Project photo
Carrer de Sant Joan de la Salle 42, Barcelona, España
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookiesinformation security policy
Privacy Settings
Copyright © 2025 Apollo Cybersecurity