Instructure paid ShinyHunters to delete data stolen from Canvas, covering ~275 million individuals across ~9,000 schools, with no way to verify deletion.
Key Takeaways
ShinyHunters claimed the breach, threatening to leak data involving 275 million individuals and 9,000 schools unless ransoms were paid by May 6.
Stolen data included student IDs, email addresses, names, and Canvas messages; no passwords, financial, or government ID data confirmed compromised.
Instructure received “shred logs” as “digital confirmation” of deletion but publicly acknowledged this provides no real certainty.
Canvas was taken offline during investigation, locking out students and faculty during finals, exposing how single-platform dependency amplifies breach impact.
Instructure engaged forensic vendors to harden systems and review exposed data scope post-incident.
Hacker News Comment Review
Consensus is that paying for deletion is theater: hackers face zero enforcement mechanism to actually destroy copies, making the “shred logs” assurance worthless.
Commenters flagged a perverse incentive: paying ransomware groups for data deletion funds and validates the attack model, making future attacks more likely.
Some argued such deals should be illegal outright, framing payment as a form of financing criminal actors with no security upside.
Notable Comments
@Levitating: Notes that ransom payment is common and often insurance-covered, but paying to “delete” data is controversial because it sustains ransomware economics.
