On May 11, hours before ShinyHunters’ self-imposed deadline, Instructure announced it had reached an “agreement” with the group responsible for breaching Canvas twice in two weeks. The company said it received digital confirmation of data destruction, that no Instructure customers would be extorted as a result of the incident, and that individual institutions had no need to engage with the attackers directly. Instructure did not explicitly confirm it paid a ransom, though the language of the statement, “agreement,” “digital confirmation of data destruction,” coverage extending to all impacted customers, is consistent with what a negotiated payment typically looks like. The company has not answered direct questions about whether money changed hands.
The ransom debate is not new. The arguments on both sides are well-established, and most security professionals have a default position on it. This case is worth revisiting anyway, because it adds a few wrinkles that the standard framework doesn’t fully account for.
The Case Against Paying
The standard argument against paying ransoms starts with incentives. Every payment funds the next campaign, validates the business model, and tells every other threat actor that this approach works. ShinyHunters did not appear out of nowhere. They have a documented history going back to 2019, with major breaches against Microsoft, AT&T, Ticketmaster, and others. The education sector is their newest hunting ground, and a successful payout from one of the largest ed-tech companies in the world is a significant data point for anyone evaluating whether to target this sector next.
The second argument is that payment doesn’t guarantee anything. Instructure says it received “shred logs” as proof of data destruction. Shred logs are not independently verifiable. There is no third party in the room when a threat actor claims to delete data, and history provides plenty of examples where paid ransoms were followed by the data surfacing anyway, sometimes months or years later. The PowerSchool breach from last year is the relevant precedent here: the company paid, and months later employees across North Carolina were still receiving threatening messages from people claiming to have the data. Paying bought time, not safety.
The third argument is the congressional dimension. The US House Homeland Security Committee sent a letter to Instructure’s CEO on the same day the agreement was announced, requesting a briefing on both intrusions. Paying a ransom while under congressional scrutiny is a choice that will require explaining, and the explanation will need to be more substantive than “we reached an agreement.”
The Case For Paying (In This Specific Situation)
The standard case for paying usually comes down to one thing: restoring operations quickly. That argument is less compelling when the attacker already demonstrated they can get back in, as ShinyHunters did when they breached Canvas a second time through the same vulnerability after Instructure thought the first incident was resolved.
The more interesting argument in this case is scale. 275 million records. 8,800 institutions. Private messages between students and teachers. Names, email addresses, student ID numbers. If that dataset gets released publicly, it becomes a permanent resource for phishing campaigns, social engineering, and identity fraud targeting the global higher education population. The damage from a public release isn’t a one-time event. It’s a long tail of downstream incidents that individual institutions and individuals have no ability to prevent or remediate.
Instructure’s position, essentially, was that the cost of a public release exceeded the cost of the ransom. For a company with 41% penetration in North American higher education, protecting the data of 30 million active users is not just an ethical argument. It’s an existential one. A public release of that dataset, combined with two confirmed breaches and a congressional investigation, is an event that doesn’t just damage Instructure’s reputation. It potentially ends it.
The argument that ShinyHunters has a track record of honoring agreements when paid is also relevant here, though it deserves skepticism. Threat actors who consistently fail to honor agreements don’t stay in the extortion business for long, because victims stop paying. There is a perverse logic to honoring the deal: it keeps the payment model viable. Which brings us to the most uncomfortable part of this analysis.
Why It’s Actually in ShinyHunters’ Interest to Honor the Agreement
This is the part that doesn’t get discussed enough when people debate ransom payments.
Extortion at scale requires trust. Not moral trust, but functional trust. If ShinyHunters develops a reputation for taking payment and releasing the data anyway, rational actors stop paying. The expected value of paying drops to zero if the outcome is the same regardless of whether you pay. Threat actors who want to monetize data through extortion rather than selling it need victims to believe that payment changes the outcome.
ShinyHunters has operated long enough and hit enough high-profile targets to understand this dynamic. Their business model depends on a credible commitment to honor agreements. That’s not a guarantee, it’s an incentive structure. And incentive structures can change: if law enforcement pressure increases, if the group splinters, if individual members decide the data is worth more on the open market than the negotiated ransom, the agreement is worth nothing. The “shred logs” Instructure received are a gesture toward credibility, not proof of anything.
The PowerSchool comparison is worth keeping in mind. Payment bought a period of quiet. It did not buy permanent safety.
What This Changes Going Forward
Instructure paying changes the calculus for every higher education institution evaluating their posture right now. The implicit message is that a sufficiently large breach of a sufficiently central vendor will get paid out. That’s a targeting signal.
The more constructive takeaway is the vendor risk question. Instructure was breached twice through the same vulnerability in a Free-for-Teacher product that likely received less security scrutiny than their core platform. The exploit gave attackers administrative access. The breach affected institutions that had no visibility into their vendor’s security posture and no ability to prevent what happened.
The standard advice applies: rotate Canvas API keys, OAuth tokens, and SSO credentials if you haven’t already. Expect a wave of phishing using the exposed data. And take a hard look at what your other vendors are holding on your behalf, because Instructure will not be the last.
This post is based entirely on publicly available reporting as of May 12, 2026. No internal or non-public information has been used.