- Instructure confirmed it paid ShinyHunters to delete stolen data and stop extortion
- The agreement included digital “shredding logs” and covered all affected customers.
- Amount paid not disclosed; law enforcement warns that ransom payments finance crime and do not guarantee safety
Instructure confirmed that it paid ShinyHunters their ransomware demand in exchange for deleting the data and not targeting its customers in the future.
The news was confirmed by the company’s CEO, Steve Daly, who explained his response in a blog post.
“Instructure has reached an agreement with the unauthorized actor involved in this incident,” the announcement said. “As part of this agreement, the data has been returned to us, we have received digital confirmation of the data destruction (shredding logs), we have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”
The terms of the agreement
Daly also said the agreement covered all affected customers and stressed that there was no need for individual customers to attempt to engage with ShinyHunters.
It wasn’t clear how much money Instructure ended up paying, and law enforcement generally advises against paying ransom demands because they only fund more attacks, with no guarantee that the stolen data won’t show up somewhere on the dark web. Nor can it guarantee that the same group, or a different group, will not strike again in the future.
In early May 2026, news broke that Instructure, the education technology giant behind the popular Canvas learning system, had suffered a cyberattack and lost sensitive customer data. Hours later, ShinyHunters added Instructure to its data breach site, saying the breach affected nearly 9,000 schools and 275 million people, including students, teachers and other staff.
“Several billion private messages between students, teachers and other students involved, containing personal conversations and other personal information. Your Salesforce instance has also been hacked and many more other data are involved,” ShinyHunters was quoted as saying at the time.
A few days later, the group increased the pressure by defacing the Instructure login portal and removing the names of a few high-profile victims: Harvard, MIT, Oxford, Stanford, Princeton, Columbia, Cambridge, Cornell, Berkeley and Georgetown. He also listed Amazon, Apple and Cisco.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
