'You deserved more': Instructure CEO apologizes following Canvas hack, admits company paid hackers to get stolen data back

News
By published

ShinyHunters are walking away with a pay day.

ransomware avast
(Image credit: Avast)
  • Instructure confirmed paying ShinyHunters to delete stolen data and halt extortion
  • Agreement included digital “shred logs” and covered all impacted customers
  • Amount paid undisclosed; law enforcement warns ransom payments fund crime and don’t guarantee safety

Instructure has confirmed it paid ShinyHunters their ransomware demand in exchange for deleting the data and not targeting its customers in the future.

The news was confirmed by the company’s Chief Executive Officer (CEO), Steve Daly, who explained its response in a blog post.

“Instructure reached an agreement with the unauthorized actor involved in this incident,” the announcement reads. “As part of that agreement the data was returned to us, we received digital confirmation of data destruction (shred logs), we have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.”

Latest Videos From

The terms of the deal

Daly also said the agreement covered all impacted customers and stressed there is no need for individual customers to attempt to engage with ShinyHunters.

It was not said how much money Instructure ended up paying, and law enforcement usually advises against paying ransom demands, since it just funds more attacks, while not guaranteeing the stolen data wouldn’t surface somewhere on the dark web. It also can’t guarantee the same group, or a different one, won’t strike again in the future.

In early May 2026, news broke that Instructure, the edtech giant behind the popular Canvas learning system, suffered a cyberattack and lost sensitive customer data. Hours later, ShinyHunters added Instructure to its data leak site, saying the breach affects nearly 9,000 schools and 275 million individuals, including students, teachers, and other staff.

"Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved,” ShinyHunters allegedly said at the time.

A few days later, the group turned up the heat by defacing the Instructure login portal and namedropping a few high-profile victims: Harvard, MIT, Oxford, Stanford, Princeton, Columbia, Cambridge, Cornell, Berkeley, and Georgetown. It also listed Amazon, Apple, and Cisco.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.