Canvas Developer Pays Ransom to Recover 275 Million Stolen User Records
Amsterdam, Tuesday 12 May 2026
Canvas developer Instructure paid cybercriminals an undisclosed ransom to secure 275 million users’ stolen records, successfully recovering billions of private messages and preventing further global extortion.
A Vulnerability in Scalable SaaS Architecture
The scale of the breach highlights the profound concentration of risk within modern educational infrastructure. On 11 May 2026, Instructure announced it had reached an agreement with the cybercriminal syndicate ShinyHunters, securing the destruction of approximately 3.65 terabytes of exfiltrated data [4][7]. The breach, which Instructure first discovered on 29 April 2026, compromised the personal information of roughly 275 million users across 8,809 global educational institutions [4][7]. To provide a sense of scale, Instructure’s Canvas platform is utilised by 41 per cent of higher education institutions in North America alone [1]. The stolen cache included names, email addresses, student identification numbers, and several billion private messages between students and faculty [1][4]. However, Instructure confirmed that no passwords, government identifiers, or financial information were compromised [4].