Instructure Pays ShinyHunters Ransom to Little Likely Return

Cybercrime , Fraud Management & Cybercrime Instructure Pays ShinyHunters Ransom to Little Likely Return Hackers Constantly Break 'Confirmation of Data Destruction' Promises Mathew J. Schwartz (euroinfosec) • May 13, 2026     Share Post Share Get Permission Image: Shutterstock A hacker disruption of online learning platform Canvas during final exam season has now arguably become even worse after developer Instructure Holdings paid digital extortionists money in exchange for a putative vow to delete stolen data. See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready? Utah-based Instructure Holdings develops free and paid versions of the online learning platform and counts more than 30 million active instructor and student users. "Instructure reached an agreement with the unauthorized actor involved in this incident," it said in a Monday apology, without revealing how much it paid. After breaching Instructure earlier this month, cybercriminal extortion group ShinyHunters raised the stakes by hitting the company's infrastructure again on Thursday, redirecting Canvas's K-12 and higher-education students and educators worldwide to a signed ransom note claiming it "breached Instructure (again)." The message claimed that that "instead of contacting us to resolve it, they ignored us and did some 'security patches,'" reflecting typical pressure tactics employed by ShinyHunters, which experts say is largely compromised of Western adolescents (see: Canvas E-Learning Platform Breached by Cybercriminals). ShinyHunters also began directly pressuring some of the 8,800 Instructure customers it said fell victim, seeking individual payoffs for a promise to not release stolen names, email addresses and private messages. Organizations such as Instructure entrusted with storing data about children get stuck between a rock and a hard place when targeted by data-leaking extortionists. Victims want to be seen doing something to restore their broken trust. If they want to pay for what they hope will be a face-saving maneuver, that's usually their call. But such firms do a disservice to victims by suggesting with a straight face that a ransom payment offers any reliably positive outcomes. Instructure told victims that "the data was returned to us," and that "we received digital confirmation of data destruction (shred logs)." In addition, "we have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise," adding that "this agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor." Cybercrime experts are not pleased. "It's sad to see criminals being placated like this," tweeted Alan Woodward, a visiting professor of computer science at England's University of Surrey. Paying ransoms perpetuates cyber extortion as an attractive business model, leading to yet more victims. Also, experts say that paying for intangible promises such as data deletion- as opposed to a decryptor - offers no guarantees, not least where valuable personal data is concerned. "The criminals have offered an 'assurance.' So that's alright then," said Ciaran Martin, a professor of practice at Oxford University, who served as the first CEO of Britain's National Cyber Security Center. "Also their 'assurance' appears to extend to extortion. It doesn't seem to extend to not selling the data on for scams. Which they will," he said. Ransomware experts say there's no evidence that a ransomware group has deleted any data. And evidence to the contrary abounds. Take PowerSchool, which makes a widely used K-12 student information system platform. After being breached in December 2024, it made the "difficult decision" to pay a ransom to its attackers. In return, the threat actor promised to delete the data he stole. But in May 2025, an IT administrator at an affected school district alerted me to a new twist: "Surprise! The attackers didn't delete the data that PowerSchool paid a ransom to have them delete." They knew, because they were being extorted by what appeared to be the same attacker (see: No Fairy Tale Ending: PowerSchool's Hacker Targets Customers). False promises are endemic. When the National Crime Agency led the infiltration and disruption of once high-flying ransomware group LockBit in October 2024, investigators discovered that since at least December 2022, despite receiving numerous ransoms to delete data, the group didn't delete anything. In a review of the data seized from LockBit, Max Smeets, co-director of Virtual Routes - formerly known as the European Cyber Conflict Research Initiative - found that victims who paid also typically increased their public exposure, rather than decreasing it (see: Ransomware Victim Warning: The Streisand Effect May Apply). The Canvas incident is a reminder that blocking attacks or mitigating them before data gets stolen remains the best possible outcome. Everything else involves tradeoffs, whether or not they get clearly spelled out.