3 minute read
Instructure Wrote a Very Expensive Check
Instructure, the company behind Canvas LMS, confirmed last night it paid off ShinyHunters, the crew that hacked Canvas twice in under two weeks and walked off with data on 275 million students and teachers across 8,809 schools. The deadline was today, May 12. The company says it got “shred logs” proving the data was destroyed, plus a pinky promise nobody else will be extorted. Take a wild guess how much faith cybersecurity folks have in pinky promises from criminals.
What the Hackers Grabbed
The stolen haul covers names, email addresses, student IDs, and private messages between users. Instructure says no passwords, government IDs, dates of birth, or financial info were in the pile, which is the one piece of good news. The bad news is that the leaked stuff is exactly what scammers love. Real names, real emails, real school IDs, all tied together in one neat package. That’s a starter kit for targeted phishing. Expect “Your professor sent you a file” emails to start landing any minute.
Finals Week, Of Course
The original deadline was May 7, which the hackers helpfully extended to May 12. Why so generous? Canvas was busy getting defaced mid-finals week, with login pages swapped out for ransom notes while students tried to submit papers. Nothing says leverage like millions of panicked 19-year-olds and their professors screaming at the same vendor. The timing wasn’t an accident.
The “We Paid, You’re Safe” Pitch
Instructure is telling schools they don’t need to do anything because the deal “covers all impacted customers.” Security researchers reading that are doing the thing where you slowly close your laptop. ShinyHunters runs a “pay or leak” model with zero history of honoring deletion promises. There is no audit. There is no court. There is no return policy on stolen data. The “shred logs” are a screenshot the criminals chose to send. That’s the receipt.
The Real Problem Starts Tomorrow
Here’s the part nobody at Instructure wants on the press release. Around 80% of organizations that pay ransoms get hit again, and most of those repeat hits happen within a month. Paying works the way feeding a stray cat works. The cat tells its friends. ShinyHunters already breached Instructure eight months ago through a separate Salesforce angle. Now they know two things: the door isn’t locked, and the wallet opens. So does every other gang watching today.
What Students and Parents Should Do
Don’t wait for a notification letter. Assume your data is out there and act on it. Turn on multi-factor authentication on anything tied to a school email. Be aggressively suspicious of messages claiming to be from a professor, financial aid office, or “Canvas Support” asking you to click. Watch for scholarship scams and fake tuition refund offers. The data is gone. The only thing you control is what happens next.
Sources: Inside Higher Ed, Instructure, US Department of Education, Halcyon, Bitdefender, Cybereason
