Instructure paid. The company confirmed on May 12 that it had reached an agreement with ShinyHunters following the breach of its Canvas LMS platform that exposed data on 275 million students across more than 8,800 institutions worldwide. The announcement came hours before the hackers’ final deadline. Instructure said it received “digital confirmation of data destruction” in the form of shred logs. The ransom amount was never disclosed.

The entry from ShinyHunters’ dark web leak site disappeared shortly after Instructure published its statement. The operational signature — targeted breach, escalating deadline, quiet settlement, removal from leak site — matches the group’s established playbook precisely.

This is the conclusion of what became the largest educational data breach in recorded history. It is also a case study in what paying ransomware operators actually buys: a document, a promise, and no way to verify either.

How We Got Here

We covered the initial breach when it broke on May 5. ShinyHunters claimed 3.65 terabytes of data from Instructure’s systems — student names, institutional email addresses, student ID numbers, Canvas inbox messages, and discussion post content from institutions across more than 70 countries. Instructure confirmed the breach. The May 6 deadline came and went without public resolution.

What happened next was not a one-time escalation. ShinyHunters hit Instructure a second time on May 7, defacing Canvas login portals at roughly 330 institutions with extortion messages and resetting the clock with a new deadline: May 12 or the data goes public. The second intrusion occurred during finals week at many US universities, disrupting academic operations at institutions including Penn, Duke, and hundreds of others that depend on Canvas as the backbone of their academic infrastructure.

The double-breach pattern is notable. ShinyHunters’ first intrusion exploited a vulnerability in the “support tickets” feature of Instructure’s Free-for-Teacher environment. The second occurred after Instructure claimed the situation had been resolved. Either remediation was incomplete, or the group had maintained persistent access that the initial response failed to eliminate.

What the “Agreement” Actually Means

Instructure’s May 12 statement is worth reading carefully, because it says quite a lot while confirming almost nothing verifiable.

The company said it “retrieved the stolen data” and received “digital confirmation of data destruction.” Those shred logs are records provided by the attacker. They are not independently auditable. There is no third-party forensic firm that can certify that a criminal group has deleted 3.65 terabytes of stolen data from every system it touched. The shred logs prove that a file deletion process was run on something, somewhere, at a time the attackers chose to document. They do not prove the data no longer exists.

This is the fundamental problem with paying ransomware operators for data suppression. The purchase is of an unenforceable promise from a criminal enterprise. ShinyHunters has honored these agreements before — the Medtronic settlement earlier in April followed the same pattern, with data disappearing from the leak site after confirmation. That track record is the closest thing to enforcement available. It is not nothing, but it is not a guarantee.

The ransom amount was not disclosed and is unlikely to be. Instructure is a private company, which removes the SEC Form 8-K mechanism that forced Medtronic and others into partial transparency. The cost of the agreement will not appear in any public filing in a form that identifies it as a ransom payment.

What 8,800 Institutions Are Left Holding

Paying the ransom does not extinguish institutional notification obligations. Every institution using Canvas confirmed its students’ data was accessed and exfiltrated by a criminal organization. That disclosure event already occurred. FERPA notification obligations are triggered by improper disclosure of education records, not by whether the disclosing party subsequently claims to have deleted the data.

Institutions that have not already initiated breach notification procedures are operating behind the compliance clock. Schools that want a rapid read on their overall security posture — including vendor management, incident response readiness, and FERPA/COPPA compliance — can run the free assessment at school.secureiot.house. State breach notification laws in California, New York, Texas, and Illinois impose specific timelines — typically 30 to 72 days from discovery — that are now running against the May 5 public confirmation date. ComplianceHub.Wiki’s AG portal directory has direct submission links for every state.

GDPR-obligated institutions — any European university or institution enrolling EU-resident students — faced a 72-hour supervisory authority notification deadline from the moment the breach was confirmed. Many of those deadlines have already passed.

The second breach, on May 7, further complicates the institutional response. If ShinyHunters maintained access through May 7 and potentially beyond, the scope of what was exfiltrated during the second intrusion is not fully established. Institutions should not assume the 3.65TB original claim is the ceiling of what was taken.

The Verification Problem

The cybersecurity industry broadly agrees that paying ransoms for data suppression is unreliable and counterproductive. The FBI and CISA both formally discourage it. The logic is not complicated: there is no enforcement mechanism, payment validates the business model, and the group can retain a copy and return with the same data as leverage in a future extortion attempt.

ShinyHunters is not a disorganized crew. They are the same group behind the Ticketmaster breach (560 million records, 2024), Santander Bank, AT&T, Carnival (87 million records, confirmed just this week), Cushman & Wakefield, and now Instructure. They operate with structural discipline — consistent sizing, consistent deadline patterns, consistent leak-site behavior. That consistency suggests they have calculated that honoring agreements is in their long-term commercial interest. A group that sells data after receiving payment would rapidly lose its ability to extract ransom payments at all.

That logic is the strongest argument for why the data may actually be gone. It is not a legal guarantee. It is an incentive structure.

What Changes for Affected Students

The data that was in ShinyHunters’ possession — assuming the shred logs are accurate — covered names, institutional emails, student ID numbers, and private Canvas inbox messages. Even if the primary copy is destroyed, the window between initial exfiltration and today is long enough that data could have been copied, sampled, or shared before any deletion occurred.

Students affected by this breach should treat the agreement as good news — a better outcome than the alternative — while recognizing that it does not return them to the pre-breach state. Canvas email addresses are known to have been in criminal hands. Targeted phishing attempts referencing course names, instructors, or institutional affiliations remain a credible threat. Any student who disclosed sensitive personal circumstances via Canvas inbox — medical conditions, mental health issues, financial hardship, disability accommodations — should remain alert to contact from parties that seem unexpectedly aware of that information.

The institutions now have confirmation of the scope and a plausible reason to believe the data is not being actively traded. That is not the same as safety. It is the best available outcome in a situation that should not have been available for purchase at any price.

Listen: The EdTech Supply Chain Collapse

Sources

  • Inside Higher Ed: Instructure Pays Ransom to Canvas Hackers (May 11, 2026)
  • The Hacker News: Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak
  • Wikipedia: 2026 Canvas security incident
  • The Register: Double Canvas intrusion confirmed as ShinyHunters resets leak deadline (May 12, 2026)
  • Malwarebytes: Millions of students’ personal data stolen in major education cyberattack

Breached.Company covers state-sponsored cyber and hybrid threats, breach disclosures, and signals intelligence for the security community. For threat intelligence retainers and vCISO consulting, CISO Marketplace connects you with vetted advisors.