Instructure Confirms Deal With Hackers After Second Breach of Its Canvas Platform

Instructure, the company behind the widely used Canvas learning management system, confirmed it has "reached an agreement" with threat actors who breached its systems twice, according to a company statement. The admission raises serious questions about the safety of data belonging to the millions of students, educators, and institutions that rely on Canvas for daily academic operations.

The dual intrusion represents a significant escalation for the education technology sector. Rather than denying the breach or attempting to negotiate privately, Instructure acknowledged the agreement publicly—but did so while explicitly declining to guarantee that the hackers would honor their word or refrain from releasing stolen data. The company declined to specify what concessions were made in the deal, leaving open whether financial payment, data access guarantees, or other terms were involved. Security researchers note that paying extortion demands does not ensure data deletion and may incentivize future targeting.

The breach carries weighty implications for the K-12 and higher education markets where Canvas dominates. Schools that entrust sensitive student records, grades, and communications to the platform now face unresolved risk exposure. Regulators in the U.S. and abroad could intensify scrutiny over how Instructure handled the incident and what notification obligations were triggered. The case also signals mounting pressure on software vendors across the edtech space to demonstrate robust security postures, as threat actors increasingly view educational platforms as high-value targets with limited defensive resources.