Instructure has confirmed it reached an agreement with the criminal actor behind the Canvas data breach affecting education institutions across the globe.

The Utah-based learning platform owner said the deal returned stolen data and produced digital confirmation of its destruction.

In a 11 May statement, Instructure said it had been told no customers would be extorted as a result of the incident.

"The agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor," the company said.

Instructure has not disclosed whether money changed hands in the arrangement.

The threat actor, widely reported to be cyber extortion group ShinyHunters, had set a 12 May deadline for institutions to negotiate ransom payments.

The agreement followed mounting public pressure, including a US congressional briefing request and reports of direct contact between schools and the hackers.

Instructure CEO Steve Daly issued an apology on the same incident page, conceding the company had failed to communicate consistently with affected customers.

"You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that," Daly said.

The agreement raises questions about ransom payment that Instructure has so far declined to answer.

Ransomware negotiator Kurtis Minder, quoted by Reuters, said it was "fair to conclude that some money was sent" given the outcome described.

The US Federal Bureau of Investigation has consistently warned that paying threat actors does not guarantee data is destroyed or that re-extortion will not occur.

Stolen data was retained on criminal infrastructure for at least 12 days before the deal was struck.

Compromised fields include usernames, email addresses, course names, enrolment information and Canvas messages.

Core learning data including course content, submissions and credentials was not affected, Instructure said.

The company has confirmed the attacker exploited a flaw in support ticket functionality within its Free-For-Teacher accounts.

Free-For-Teacher accounts have been temporarily shut down while a full security review is completed.

A second incident on 7 May saw attackers deface Canvas login pages at roughly 330 institutions, exploiting the same Free-For-Teacher flaw.

Instructure says no data was taken during the second intrusion, based on findings to date.

Instructure has engaged CrowdStrike to conduct forensic analysis and has notified the FBI, the US Cybersecurity and Infrastructure Security Agency and international law enforcement.

The breach affected an estimated 9,000 schools and universities globally, including multiple Australian and New Zealand institutions.