Instructure Breaks Protocol: Paying Hackers to Secure Canvas User Data
In a move that directly contradicts federal security advice, education technology giant Instructure has struck a deal with the hacker group responsible for breaching its systems twice this month. The agreement ensures the return of stolen customer data and prevents further extortion, marking a significant deviation from standard industry and government protocols.
The breach involved the ShinyHunters ransomware group, which exfiltrated hundreds of gigabytes of data from Instructure’s cloud-based learning management system, Canvas. The scope of the leak was massive, potentially exposing the names, email addresses, and private messages of approximately 280 million users.
The Terms of the Recovery Agreement
ShinyHunters had issued a strict ultimatum: Instructure had to make contact before a May 12 deadline, or the group would publicly leak the stolen data. Instructure chose to engage, and the company now reports that the situation has been resolved through negotiation.
Key outcomes of the agreement include:
- Data Return: The stolen data has been returned to Instructure.
- Verification of Destruction: The company received digital confirmation of data destruction, specifically "shred logs," proving the hackers deleted their copies.
- Non-Extortion Pledge: ShinyHunters provided assurance that "no Instructure customers will be extorted as a result of this incident, publicly or otherwise."
While Instructure has not disclosed the financial terms of the deal, the company’s initial security update framed the decision as a necessary step to provide "additional peace of mind" to customers, despite the inherent risks of dealing with cybercriminals.
Defying FBI Guidance
The decision to pay the ransom and engage with the attackers stands in stark contrast to official guidance from U.S. authorities. The FBI explicitly advises against paying ransoms in response to cyberattacks, arguing that such payments fuel further criminal activity.
According to the BBC, a previous version of Instructure’s incident update acknowledged the complexity of the situation: "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible."
This stance directly opposes recent Federal Bureau of Investigation warnings. Last week, the FBI posted on X (formerly Twitter), stating: "If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands." The bureau specifically alluded to the Canvas breach in its warning, urging victims to avoid engagement.
ShinyHunters’ Recent Campaigns
Instructure is not the only major tech entity targeted by ShinyHunters recently. The group has been active across multiple high-profile sectors:
- Nvidia: ShinyHunters claims to have breached Nvidia’s GeForce Now service, alleging they "pulled their entire database straight from the backend."
- Rockstar Games: The group demanded a ransom from the developer of GTA 6 last month. However, subsequent reports revealed that the group did not possess as much valuable data as initially feared.
What Comes Next for Canvas Users?
As of now, it remains unconfirmed whether Instructure paid a specific sum to ShinyHunters, or the exact nature of the non-financial concessions made during the negotiation. The company’s latest security incident update does not explain the rationale behind choosing to broker an agreement with a known cybercriminal group.
Instructure leadership has indicated that more clarity will be provided in an upcoming webinar. The session will detail information about the cyber attack and outline the company’s activities to harden the system against future threats. For the 280 million affected users, the immediate concern is the security of their personal data, even though the breach has been technically contained.
