Instructure reaches deal with ShinyHunters as Canvas breach hits Australian universities

Instructure, the company behind the Canvas learning management system used by universities across Australia, has reached an agreement with the ShinyHunters hacking group, ending a days-long crisis in which 3.65 terabytes of data were stolen from roughly 9,000 institutions worldwide.

The agreement, announced hours before the hackers’ midday deadline on 12 May, includes confirmation from ShinyHunters that all stolen data has been returned and destroyed. “We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” the company said in a statement.

Whether any payment changed hands remains unclear. The company declined to say — a silence that has drawn sharp attention from Australian cybersecurity policymakers.

News of the breach surfaced late last week when ShinyHunters, a prolific cybercriminal group, claimed it had exfiltrated course materials, student records, and administrative files. The group threatened to auction the data on dark-web forums if its demands were not met by midday on 12 May Australian Eastern Standard Time.

Steve Daly, Instructure’s chief executive, acknowledged the company’s communication failures during the crisis.

“Over the past few days many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom,” Daly said. “You deserved more consistent communication from us and we didn’t deliver it. I’m sorry for that.”

An estimated 275 million students globally may have had personal information exposed, according to the Australian Computer Society’s Information Age.

A second breach, a pattern of concern

The incident is the second confirmed ShinyHunters breach of Canvas systems within a single year. It raises uncomfortable questions about whether Instructure’s remediation after the first attack was sufficient.

“Two confirmed breaches by the same threat actor on the same platform suggests a pattern that demands scrutiny,” Darren Guccione, chief executive of Keeper Security, told Information Age.

Australian universities in the blast radius

Australian institutions were among those affected. Universities including the University of Melbourne, Monash, UNSW, and the University of Queensland are confirmed Canvas users, though it is unclear which had data caught up in the theft.

Lieutenant General Michelle McGuinness, Australia’s national cybersecurity coordinator, is monitoring the fallout. The Australian Signals Directorate separately used the incident to urge organisations to harden defences against ransomware and extortion-based attacks.

Australian firms contacted by SecurityBrief Australia described a scramble to audit supply-chain exposure, particularly for third-party tools that integrate with Canvas through LTI plugins.

For university IT teams, the hackers’ assurance that files have been destroyed offers limited comfort without independent verification. Instructure is cooperating with forensic investigators but has not committed to a public audit of the breach’s scope — a gap that will weigh on institutions for months.