Last week, a high-profile cyberattack against Instructure, the developer of the widely used learning management system Canvas, upended academic operations at thousands of post-secondary institutions across North America, Europe and Oceania. In the wake of the breach that disrupted mid-semester exams and locked students out of critical learning resources, the company has confirmed it reached a confidential agreement with the extortion group behind the attack to prevent the public release of 3.5 terabytes of stolen institutional and student data.
The breach, first detected on April 29, was immediately claimed by Shiny Hunters, a prolific English-speaking cybercriminal group with a track record of high-profile breaches against major global brands including Jaguar Land Rover and Gucci. The attack took Canvas offline for thousands of users, bringing exam schedules to a halt at an estimated 9,000 institutions across the United States, Canada, Australia and the United Kingdom. For many students, the disruption came at the worst possible moment: Aubrey Palmer, a meteorology student at Mississippi State University, told reporters the ransom note popped up on their screen immediately after they finished writing a 2,900-word final exam essay. Palmer and dozens of their classmates were left confused for hours, unsure if their work had been saved, before the university postponed affected exams to let students recover lost progress.
In a public statement posted to its website, Instructure confirmed the deal with Shiny Hunters, saying the hackers have formally agreed to delete all stolen data and pledged not to target individual students or affected institutions with separate extortion attempts. Under the terms of the agreement, all stolen data has been returned to Instructure, and the company has received digital confirmation that the information has been destroyed. The deal covers all customers impacted by the breach, and no individual users will need to interact directly with the criminal group, the company added.
While neither Instructure nor Shiny Hunters has explicitly confirmed that a ransom payment was exchanged, industry observers note that extortion groups like Shiny Hunters uniformly operate on a model of demanding bitcoin payments via encrypted chat platforms after successful data breaches. It remains rare for victim organizations to publicly acknowledge paying ransoms, but Instructure has opted for unusual transparency throughout the incident, updating the public regularly on its website. Analysts say this openness is likely a response to the high visibility of the attack, which directly impacted thousands of students sitting for high-stakes exams.
Instructure defended its decision to reach an agreement with the hackers, noting that protecting the personal data of students and education staff was its top priority. “While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company said.
The decision to pay runs directly counter to longstanding guidance from law enforcement agencies around the world, which warn that paying ransoms emboldens criminal groups to carry out future attacks and provides no guarantee that stolen data will actually be destroyed. History is rife with examples of cybercriminals accepting ransom payments but retaining copies of stolen data to sell on underground black markets: when the UK’s National Crime Agency dismantled the notorious LockBit ransomware syndicate, investigators found that thousands of stolen records were still held by the group even after victims had paid to have the data destroyed.
Further context around the attack has revealed Shiny Hunters had targeted Instructure multiple times before the April 29 incident. In an interview with the BBC via Telegram, the group claimed it had hacked the company twice previously: Instructure publicly disclosed one breach in September 2025, while Shiny Hunters says it carried out an additional unreported breach in early April 2026. When asked about the widespread stress and academic disruption the attack caused for students, the group declined to comment, and also refused to disclose the size of the payment it received from Instructure.