Instructure Paid the Ransom. ShinyHunters Leaked the Data Anyway. 275 Million Students Exposed.
ShinyHunters breached Canvas LMS through a free teacher account flaw. Instructure paid the ransom. Data was already copied. 275M student records exposed.

Instructure, the company behind Canvas LMS used by thousands of educational institutions worldwide, paid a ransom to ShinyHunters after the extortion group breached its platform and exfiltrated records affecting an estimated 275 million students and staff. The payment bought a promise. It did not buy protection.
The breach was contained by May 6, 2026. On May 7, ShinyHunters defaced the Canvas platform. The sequence reveals the fundamental problem with ransom payments: by the time an organization knows it has been breached, the data has already been copied. Payment buys a promise from criminals not to publish what they have already taken. That promise has no enforcement mechanism.
The attack vector was a vulnerability in Canvas's Free-For-Teacher account program. ShinyHunters exploited this flaw to gain initial access, then escalated to exfiltrate student records, staff information, and private messages exchanged through the platform. The inclusion of private messages makes this breach particularly dangerous for individuals, as educational platform messages often contain personal disclosures, disciplinary discussions, and communications between students and faculty that were never intended for public exposure.
The Ransom Payment Paradox
Instructure's decision to pay illustrates the impossible position organizations face during active extortion. Refuse to pay, and the data is published. Pay, and you have funded criminal operations while receiving only a verbal commitment that the attackers will delete what they stole.
The data was exfiltrated before Instructure knew the breach had occurred. By definition, paying afterward cannot un-steal the data. It can only purchase a promise of deletion from an organization that has already demonstrated it will break into systems and steal data for profit. The incentive structure does not support trust.
This pattern has repeated across ShinyHunters' campaigns. The group's operational model depends on volume: breach many organizations simultaneously, demand payment from each, and publish data from those who refuse. The PeopleSoft campaign, the Salesforce campaign, and the Canvas campaign all follow this playbook. Organizations that pay become data points in ShinyHunters' pitch to the next victim: "look, the smart ones pay."
What Actually Protects Student Data
The durable defense is not negotiation after the fact. It is rendering exfiltrated data useless before it leaves.
Encrypt sensitive records at rest with customer-managed keys. If student records and messages are encrypted with keys that the application does not store alongside the data, exfiltration produces ciphertext, not PII. The attacker gets data they cannot read.
Implement zero trust access controls for administrative functions. The Free-For-Teacher account vulnerability suggests that account provisioning pathways were not subject to the same security controls as paid accounts. Every account type, free or paid, must pass through the same authentication and authorization checks.
Monitor for anomalous data export patterns. A single account querying 275 million records should trigger alerts long before the exfiltration completes. Data loss prevention controls and anomalous query volume detection are essential for platforms holding this scale of PII.
Do not pay ransoms. The evidence is clear: payment does not protect the data, it funds criminal operations, and it incentivizes future attacks against the same organization and its peers.
Key Takeaways
- ShinyHunters breached Canvas LMS via a vulnerability in the Free-For-Teacher account program, exfiltrating 275 million student and staff records
- Instructure paid the ransom but the data was already copied; ShinyHunters defaced the platform the day after containment was announced
- Stolen data includes student records and private messages, creating heightened privacy risk
- This is part of ShinyHunters' pattern: Snowflake (2024), Salesforce (March 2026), Canvas (May 2026), PeopleSoft (June 2026)
- Encryption at rest with customer-managed keys is the only control that survives data exfiltration
- Ransom payments fund criminal operations without protecting stolen data
Deepak Gupta is the co-founder and CEO of GrackerAI. He previously founded a CIAM platform that scaled to serve over 1B+ users globally. He writes about AI, cybersecurity, and digital identity at guptadeepak.com.
Get the newsletter
New writing on identity, AI security, and building software, delivered when it ships. No tracking pixels, no funnels, unsubscribe with one click.