- Instructure confirmed paying ShinyHunters to delete stolen data and stop extortion
- The agreement included digital “shred logs” and covered all affected customers
- Amounts paid undisclosed; law enforcement warns of ransoms that finance crime and do not guarantee security
Instructure has confirmed that it paid ShinyHunters their ransomware demands in exchange for deleting the data and not targeting its customers in the future.
The news was confirmed by the company’s Chief Executive Officer (CEO), Steve Daly, who explained his response in a blog post.
“Instructure reached an agreement with the unauthorized actor involved in this incident,” the announcement reads. “As part of this agreement, the data was returned to us, we received a digital confirmation of data destruction (shred logs), we have been informed that no Instructure customers will be blackmailed as a result of this incident, publicly or otherwise.”
The terms of the agreement
Daly also said that the agreement covered all affected customers and emphasized that there is no need for individual customers to try to engage with ShinyHunters.
It wasn’t said how much money Instructure ended up paying, and law enforcement usually discourages paying ransom demands, as it just funds more attacks while not guaranteeing the stolen data didn’t end up somewhere on the dark web. Nor can it guarantee that the same group, or another, will not strike again in the future.
In early May 2026, news broke that Instructure, the edtech giant behind the popular Canvas learning system, suffered a cyber attack and lost sensitive customer data. Hours later, ShinyHunters added Instructure to its data breach page, saying the breach affects nearly 9,000 schools and 275 million individuals, including students, teachers and other staff.
“Several billions of private messages among students and teachers and students and other involved students, containing personal conversations and other PII. Your Salesforce instance was also breached and much more other data is involved,” ShinyHunters reportedly said at the time.
A few days later, the group turned up the heat by defacing the Instructure login portal and naming a few high-profile victims: Harvard, MIT, Oxford, Stanford, Princeton, Columbia, Cambridge, Cornell, Berkeley, and Georgetown. It also listed Amazon, Apple and Cisco.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
