ShinyHunters breached Instructure twice in under a year, claiming data on 275 million students and staff from Canvas, the school platform used by nearly 9,000 institutions. On Monday, Instructure confirmed it had “reached an agreement” with the group, though it didn’t disclose what it paid.
The first breach landed April 29. When payment didn’t come fast enough, ShinyHunters returned a second time, defacing Canvas login pages on school websites. By Tuesday, the group’s leak-site listing, which had threatened to publish the stolen data, was gone.
A ShinyHunters representative confirmed to TechCrunch: “The data is deleted, gone. The company and its customers will not further be targeted or contacted for payment by us.” Instructure acknowledged there’s “never complete certainty” when negotiating with cybercriminals, but told its customers they wouldn’t need to deal with the hackers directly.
The FBI issued a statement last week saying it was “aware” of disruptions to U.S. schools and urged victims not to “send payment or respond” to cybercriminal demands. Instructure didn’t respond when contacted Tuesday, and the company wouldn’t say whether CEO Steve Daly plans to resign.
The pattern here isn’t new. PowerSchool paid hackers after its 2024 breach affecting 70 million students and staff. A second criminal group later extorted PowerSchool’s customers using data that was never destroyed. Security researchers have argued that criminals’ promises to delete stolen data can’t be trusted.
Stolen data from Instructure includes students’ names, personal email addresses, and private messages between teachers and students. The company says it’s still investigating.
James Okafor