Canvas Software Maker Instructure Pays Shiny Hunters Ransom for Student Data Deletion

Instructure, the company responsible for the widely used Canvas software, has confirmed it reached an agreement with the Shiny Hunters hacking group following a cyber-attack that severely disrupted academic institutions globally. The hackers, who had seized 3.5 terabytes of sensitive student and university data, threatened public release unless a ransom was paid.

Ransom Payment and Concerns

While Instructure did not disclose the financial terms, it is understood the agreement involved a payment to Shiny Hunters, a group notorious for demanding Bitcoin ransoms through encrypted chat services. This action directly contradicts advice from international law enforcement agencies, who caution that paying cybercriminals can incentivise further attacks and offers no guarantee of data deletion. Previous cases, such as those involving the LockBit ransomware group, have demonstrated that criminals often fail to destroy data even after receiving payments.

Instructure stated its primary motivation was safeguarding student and staff data, acknowledging the inherent risks. “While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company commented.

Impact on Students and Institutional Response

The breach, discovered on 29th April, affected an estimated 9,000 institutions in the US, Canada, Australia, and the UK. Students, particularly those in the US, experienced significant disruption to their examinations and access to revision materials. Aubrey Palmer, a meteorology student at Mississippi State University, recounted how a ransom message from Shiny Hunters appeared during an exam, causing widespread confusion regarding the integrity of saved work. Mississippi State University subsequently postponed some exams to mitigate the impact.

Shiny Hunters, an English-speaking group believed to be young, is known for orchestrating data theft and subsequent extortion. The group has claimed previous breaches against Instructure in September 2025 and April 2026, prior to the recent incident. The group declined to comment on the stress inflicted upon students or the amount of the ransom payment.