Instructure paid an undisclosed ransom to ShinyHunters after two Canvas breaches exposed 275 million users across 8,800+ institutions.
Key Takeaways
ShinyHunters breached Canvas twice in May 2026, leaking names, emails, student IDs, and billions of private messages between students and teachers.
Instructure received “shred logs” as confirmation of data destruction and assurance no customers will be extorted further – amount paid undisclosed.
The deal covers all affected institutions; Instructure says individual customers have no need to negotiate separately with ShinyHunters.
Canvas disruptions forced widespread university exam postponements during finals week; full service restored by May 12.
ShinyHunters is also linked to breaches at UPenn, Princeton, and Harvard in the same period.
Hacker News Comment Review
Commenters widely flagged the “shred logs” claim as naive or pure PR – there is no technical mechanism to verify cybercriminals actually destroyed exfiltrated data.
The collective action problem dominated debate: each victim is individually incentivized to pay, but payments fund the industry; commenters cited the US government no-ransom policy as the structural fix.
Several commenters noted a curious dynamic: ransomware groups must honor deals to maintain credibility as extortionists, which partially explains why paying sometimes works in practice.
Notable Comments
@evantahler: Asked how the breach actually happened – no technical root cause has been disclosed, leaving defenders with nothing actionable to learn.
@yoavm: Raised unresolved legal/accounting question: how does a public company book a crypto ransom payment for tax authorities?
