The recent Canvas and Instructure security incident is a reminder that ransomware is no longer just about encrypted files. Modern attackers often steal data, threaten public leaks, pressure customers directly, and use disruption as leverage.
For schools, universities, students, parents, and IT teams, this incident is especially serious because Canvas is deeply tied to daily learning. Assignments, grades, course content, messages, and exams often run through the platform. When access is disrupted during finals, the operational pressure becomes intense.
That pressure is exactly what ransomware groups count on.
What happened with Canvas and Instructure?
Instructure, the company behind Canvas, confirmed that it detected unauthorized activity in Canvas on April 29, 2026. The company later identified additional unauthorized activity on May 7, when the attacker made changes to pages that appeared after some students and teachers logged in through Canvas. Instructure temporarily took Canvas offline to contain the activity, investigate, and apply safeguards.
According to Instructure, the incident involved data fields such as usernames, email addresses, course names, enrollment information, and messages. The company said core learning data, including course content, submissions, and credentials, was not compromised, based on what it currently understands.
Instructure also said the issue was tied to Free-For-Teacher accounts and that those accounts were temporarily shut down while the company completed additional safeguards. The company reported that Canvas was fully back online and that it had revoked privileged credentials and access tokens, rotated internal keys, restricted token creation pathways, and added monitoring.
The ransom problem
The Associated Press reported that the ShinyHunters group claimed responsibility and threatened to leak data involving nearly 9,000 schools and 275 million individuals. Instructure later said it had reached an agreement with the unauthorized actor, received the data back, and received digital confirmation of data destruction in the form of “shred logs.” AP also noted that Instructure did not disclose whether the agreement involved payment.
That last detail matters. Whether money changed hands or not, ransomware negotiations are built on a dangerous assumption: that criminals will keep their word.
They might. They might not. There is no reliable way to know whether all copies of stolen data were actually destroyed, whether the data was already shared, or whether the same information could be used later for phishing, impersonation, credential attacks, or additional extortion.
Instructure acknowledged that there is “never complete certainty when dealing with cybercriminals.”
Why you should not pay ransomware demands
The FBI is clear on this point: it does not support paying ransom in response to a ransomware attack. The FBI warns that paying does not guarantee an organization will get its data back, encourages attackers to target more victims, and gives others an incentive to participate in ransomware crime.
That is the core problem. Paying can feel like the fastest way out of a crisis, but it often creates bigger long-term risk. It funds the criminal market. It proves that extortion works. It can also make the victim look like a good target for the next group.
Even worse, payment does not undo the breach. If attackers accessed user data, the organization still needs forensic investigation, notification decisions, legal review, customer communication, credential review, logging analysis, and long-term hardening.
What schools and businesses should do instead
The better strategy is preparation before an incident and disciplined response during one.
Organizations should maintain tested backups, enforce MFA, review third-party integrations, restrict administrative access, monitor abnormal logins, and keep incident response plans current. For education platforms specifically, IT teams should also audit LMS integrations, OAuth applications, developer keys, SSO settings, support workflows, and any custom scripts or embedded content.
Instructure’s own incident change log shows several security-related changes after the incident, including elevated authentication controls, API key visibility changes, GraphQL enrollment API restrictions, OAuth redirect changes, self-registration defaults, and limitations around custom scripting or embedded content in certain areas.
Users should also be cautious. Students, teachers, parents, and staff should watch for unexpected emails or messages referencing the incident, avoid suspicious links, and report unusual activity to their school or institution’s IT team. Instructure gave similar guidance in its FAQ.
The real lesson from the Canvas hack
The Canvas hack is not just a Canvas story. It is a lesson for every organization that depends on cloud platforms, SaaS tools, and vendor-hosted systems.
You can outsource software, but you cannot outsource responsibility for risk. Schools and businesses still need vendor review, backup plans, communication plans, phishing awareness, and clear incident response procedures.
Most importantly, organizations should not build their ransomware strategy around paying criminals. The goal should be resilience: know what data you have, reduce what attackers can reach, detect problems quickly, communicate clearly, and recover without rewarding extortion.
If your organization needs help reviewing website security, hosting security, or incident response planning, contact the Illini Tech Services team at [email protected].