Instructure says it reached deal with hackers after Canvas breaches

Instructure said it reached an agreement with the hackers behind breaches at its Canvas learning platform and that stolen data was returned, with destruction of copies confirmed to the company. ^{[1, 2, 3, 4, 5, 6]}

The hack disrupted access to Canvas at about 9,000 schools and universities, with exams and coursework affected. ^{[1, 7, 2, 3, 6]} ShinyHunters claimed responsibility and threatened to leak stolen data unless it got a response or ransom. ^{[7, 2, 3, 4, 6]}

Instructure said core learning data such as course content, submissions and credentials was not compromised. ^{[7, 3]} The compromised material reportedly included usernames, email addresses, course names, enrolment information, messages and student or private conversations. ^{[7, 2, 3, 4, 6]}

The company said the agreement covered all impacted customers and that individual customers did not need to deal with the hackers. ^{[1, 2, 4, 5]} Instructure also said it was taking steps to give customers added peace of mind, and CEO Steve Daly apologized for the disruption and for what he called inconsistent communication. ^{[1, 7]}

Reports put the breach on different dates and give different data figures. One source said Instructure first detected the breach on April 29, while other reports tied the attack to May 7, when Canvas was shut down for hours and ShinyHunters claimed it on a Canvas page. ^{[1, 2, 6]} The group’s ransom deadline was reported as May 6 in some accounts and May 12 in others. ^{[3, 4, 6]}

On May 13, U.S. House lawmakers demanded answers from Instructure and asked CEO Steve Daly to testify about the breaches and the company’s response. ^[8]