READ. SCROLL. LISTEN.

Original briefings. Zero spin.

Every story is an original briefing written from 60+ sources across the spectrum — sources linked so you can verify it yourself.

← Back to headlines

Instructure Paid Ransom to ShinyHunters — Amount Hidden, Data Returned, Zero Transparency

Instructure Paid Ransom to ShinyHunters — Amount Hidden, Data Returned, Zero Transparency
Instructure quietly struck a ransom deal with ShinyHunters one day before the May 12 deadline, getting back data on 275 million users — but won't say how much it paid. The company is calling it a win. It isn't.

---

The Deal Is Done. The Price Is Secret.

Instructure paid. They just won't say how much.

The ed-tech company behind Canvas LMS confirmed Monday night it reached an agreement with ShinyHunters — the criminal gang that breached its platform twice in the span of roughly two weeks — according to reporting by Inside Higher Ed. The hackers have returned the compromised data and, per Instructure's own statement, provided "digital confirmation of data destruction (shred logs)."

The agreement covers all 8,800-plus affected institutions. Instructure told customers they have "no need" to negotiate separately with ShinyHunters.

What 275 Million People Are Supposed to Accept

The breached data included names, email addresses, student ID numbers, and — according to ShinyHunters themselves — several billion private messages between students and teachers. Instructure's May 6 statement, reported by Krebs on Security, said no passwords, dates of birth, government IDs, or financial data were confirmed stolen.

Instructure's credibility took a hit before the agreement was finalized. The company said on May 6 that the incident was "contained" and Canvas was "fully operational." By mid-day May 7, ShinyHunters had replaced the Canvas login page with a ransom demand — visible to students across dozens of schools and universities in the middle of final exams. Instructure pulled the entire platform offline.

So when Instructure now says the hackers have "destroyed" the data and promised no further extortion — why should anyone believe them? Because the criminals said so?

The Ransom Timeline, Spelled Out

May 1: Instructure acknowledges a cybersecurity incident, per TIME.

May 3: ShinyHunters publishes a ransom letter on Ransomware.live, demanding contact by May 6 or they'll leak everything.

May 6: Instructure says Canvas is secure and contained. ShinyHunters disagrees.

May 7: Hackers deface the Canvas login page. Instructure takes the platform offline. Chaos during finals.

May 11: Instructure announces a deal — one day before the May 12 deadline.

The amount paid: unknown. The mechanism of payment: undisclosed. Independent verification the data was actually destroyed: none.

ShinyHunters Is NOT a Minor League Operation

This isn't some basement hacker looking for a quick score. ShinyHunters is linked to recent breaches at the University of Pennsylvania, Princeton, and Harvard, according to Inside Higher Ed. This group has a track record. They breach, they extort, they move on.

Instructure's own statement acknowledges: "While there is never complete certainty when dealing with cyber criminals..." Paying ransoms funds future attacks. The FBI has said this repeatedly. Cybersecurity professionals have said this repeatedly. Instructure just handed a successful criminal organization proof that targeting schools works.

What Mainstream Media Is Getting Wrong

Most coverage is treating this as a resolution. "Instructure Pays Ransom, Gets Data Back" — story over. That framing is incomplete.

First, there is zero independent confirmation the data was actually destroyed. "Shred logs" provided by the same criminals who breached the system twice are not evidence of anything except that the criminals can write a log file.

Second, nobody is asking the obvious question: Why were Free-For-Teacher accounts the attack vector? Instructure confirmed to TIME that ShinyHunters "exploited an issue related to our Free-For-Teacher accounts." The company responded by shutting those accounts down. What was the vulnerability? How long had it existed? Was it disclosed to regulators?

Third, the scale here is staggering and under-reported. 275 million users. That's one of the largest education data compromises in U.S. history. It affects 41 percent of higher education institutions in North America, per Inside Higher Ed.

What This Means for Students, Parents, and Schools

If your school uses Canvas — and there's a 41 percent chance your college does — your name, email, and student ID were in that breach. Possibly your private messages too.

Instructure is asking you to trust that a criminal gang kept its word and deleted everything. That trust is worth exactly what you paid for it: nothing.

Change your passwords. Watch for phishing emails using your student email address. Be skeptical of any communication that references your school, your courses, or your student ID.

And remember: Instructure's IT security team said this was "contained" — the day before hackers defaced their login page. These are the people now assuring you everything is fine.

Sources used for this briefing

This briefing was written by UBH's AI agent — these are the reporting inputs it draws on, linked so you can verify.

center-left
timeWhat to Know About the Canvas Cyberattack - TIME
left
NYTInstructure Strikes Deal for Hackers for Return of Canvas Data
unknown
insidehigheredInstructure Pays Ransom to Canvas Hackers - Inside Higher Ed
unknown
krebsonsecurityCanvas Breach Disrupts Schools & Colleges Nationwide