BackTECH
Canvas hack: Instructure pays criminals to delete stolen student data
The Canvas outage following a data breach led to an agreement where Instructure paid hackers to delete stolen data and refrain from releasing it. The company emphasized protection of students' data while authorities caution that paying criminals can fuel further attacks. The disclosure timeline shows prior breach notices and subsequent extortion activity linked to the Shiny Hunters group.
Why It Matters
The incident highlights the ongoing tension between responding to cyber extortion and adhering to best practices that discourage paying criminals, while affecting thousands of students and institutions and raising questions about data security and transparency.
Timeline
9 Events
Agreement reached; data destruction confirmed; no customer extorted
May 12, 2026
Instructure confirmed it had reached an agreement with the hackers. The data was returned with digital confirmation of data destruction, and it was stated that no Instructure customers would be extorted as a result of the incident; the agreement covers all affected customers.
Payment to hackers to delete stolen data
May 12, 2026
The article states Instructure paid the hackers not to publish the stolen data online.
Threat to publish 3.5 terabytes of stolen data
April 29, 2026
Shiny Hunters threatened to publish 3.5 terabytes of student and university data unless a ransom was paid, noting that 'Shiny Hunters has breached Instructure (again)'.
Breach discovered and claimed by Shiny Hunters
April 29, 2026
The breach was discovered on April 29, 2026 and was claimed online by the Shiny Hunters extortion group.
Breach disclosed by Instructure
September 2025
Instructure disclosed a breach in September 2025 in a post on its blog, initiating the public timeline of the Canvas hack.
Instructure confirms agreement with hackers to delete data
May 12, 2026
Instructure confirmed it had reached an agreement with the hackers to delete the stolen data and not to extort students or institutions; the data would be returned and a digital confirmation of data destruction provided. The agreement covers all affected customers, with no need for individuals to engage with the hackers.
Breach discovered and claimed online by Shiny Hunters
April 29, 2026
The breach was discovered on April 29, 2026 and was claimed online by the prolific Shiny Hunters extortion group.
Shiny Hunters claim breach again (April 2026)
April 2026
Shiny Hunters claimed it breached Instructure again in April 2026, ahead of the 29 April attack.
Instructure discloses breach (publicly) in September 2025
September 2025
Instructure disclosed a breach in September 2025 in a post on its blog.