Instructure Pays Hackers to Delete Stolen Canvas Data, Experts Warn Payment Doesn’t End Threat

Instructure took its Canvas learning management system offline last week after detecting unauthorized access. The disruption locked out students and faculty during finals week, affecting institutions across the United States, including several Kentucky schools. The company said it worked with forensic vendors to investigate the breach and later announced it had received digital confirmation that the hackers destroyed copies of the data.

ShinyHunters claimed responsibility and said the breach exposed data from roughly 9,000 schools and 275 million people, demanding payment by May 6. Instructure confirmed it reached an agreement with the unauthorized actor, though it did not disclose payment details. Cybersecurity experts note that paying hackers does not guarantee data deletion, as stolen information can remain profitable for fraud or extortion.

The incident shows that even when a victim obtains assurances of data destruction, the underlying risk persists because the data may have already been copied or sold. Educational institutions relying on Canvas should assume that exposed identifiers such as names, email addresses, and student IDs could be used in phishing or credential‑stuffing attacks. The breach also highlights the growing trend of ransom groups targeting education sectors for large‑scale data sets.

Organizations should reset passwords for any Canvas accounts and enforce multi‑factor authentication where possible. Monitor for phishing attempts that use leaked names and email addresses, and implement email authentication controls such as DMARC, SPF, and DKIM.