Instructure Pays ShinyHunters After Twin Canvas Breaches Hit 275M Users

Instructure paid an undisclosed ransom to ShinyHunters after the group breached Canvas twice in under two weeks, exposing data tied to roughly 275 million users across more than 8,800 institutions. The company says it received shred logs as proof of data destruction and a blanket assurance that no Canvas customers will be extorted further, sparing individual universities from negotiating directly with the attackers. The deal landed one day before ShinyHunters’ May 12 deadline, after the group disrupted Canvas during final-exam season and publicly mocked Instructure’s initial ‘security patches’ as inadequate.

The stolen trove reportedly includes names, emails, student IDs, and billions of private messages between students and instructors. ShinyHunters, also linked to recent breaches at Penn, Princeton, and Harvard, claimed Instructure ignored its first ransom demand and forced a second intrusion to get the company’s attention. CEO Steve Daly conceded the company went too quiet during the first incident and pledged more consistent communication going forward.

Security practitioners pushed back hard on the decision. Cliff Steinhauer of the National Cybersecurity Alliance warned that payment reinforces the economics of extortion against critical education infrastructure and normalizes ransom as incident response. He also flagged the core verification problem: ‘shred logs’ are unfalsifiable, and stolen data routinely resurfaces in resale or follow-on extortion months or years later.