- Instructure confirmed paying ShinyHunters to delete stolen data and stop extortion
- The settlement included digital “shredded records” and covered all affected customers.
- Undisclosed amount paid; Authorities warn that ransom payments finance crimes and do not guarantee security
Instructure has confirmed that it paid ShinyHunters its ransomware claim in exchange for deleting the data and not attacking its customers in the future.
The news was confirmed by the company’s chief executive officer (CEO), Steve Daly, who explained his response in a blog post.
“Instructure has reached an agreement with the unauthorized actor involved in this incident,” the announcement reads. “As part of that agreement, data was returned to us, we received digital confirmation of data destruction (record shredding), we were informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”
The terms of the deal.
Daly also said the settlement covered all affected customers and emphasized that there is no need for individual customers to attempt to interact with ShinyHunters.
It was not said how much money Instructure ended up paying, and authorities generally advise against paying ransom demands as they only fund more attacks, without ensuring the stolen data doesn’t appear somewhere on the dark web. Nor can it guarantee that the same group, or a different one, will not attack again in the future.
In early May 2026, it emerged that Instructure, the edtech giant behind the popular Canvas learning system, suffered a cyberattack and lost sensitive customer data. Hours later, ShinyHunters added Instructure to its data breach site, stating that the breach affects nearly 9,000 schools and 275 million people, including students, teachers and other staff.
“Several billion private messages between students, teachers, students and other students involved, containing personal conversations and other personal information. Your Salesforce instance was also breached and there is much more data involved,” ShinyHunters allegedly said at the time.
A few days later, the group turned up the heat by defacing Instructure’s login portal and naming some high-profile victims: Harvard, MIT, Oxford, Stanford, Princeton, Columbia, Cambridge, Cornell, Berkeley, and Georgetown. It also included Amazon, Apple and Cisco.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
