Canvas hack: Company pays criminals to delete students' stolen data

The company behind Canvas says it has "reached an agreement" with the hackers who disrupted thousands of colleges and universities. Canvas hack: Company pays criminals to delete students' stolen data Copyright current_year BBC. All rights reserved. The BBC is not responsible for the content of external sites. Read about our approach to external linking. Copyright current_year BBC. All rights reserved. The BBC is not responsible for the content of external sites. Read about our approach to external linking. A stock image of US university students in exams A stock image of US university students in exams. There are a row of students in front of computers The company behind the popular Canvas software, which was hacked last week causing major disruption at thousands of universities and colleges, has paid the hackers not to publish stolen data online. The cyber-attack affected an estimated 9,000 institutions in the US, Canada, Australia and the UK, with exams disrupted after the Canvas service went down. The hackers threatened to publish 3.5 terabytes of student and university data they had stolen in the breach. Instructure, the maker of Canvas, has now confirmed it has "reached an agreement" with the hackers, who have said they deleted the data and promised not to extort any students or institutions. Instructure, the maker of Canvas, has now with the hackers, who have said they deleted the data and promised not to extort any students or institutions. Paying cyber criminals goes against the advice of law enforcement agencies around the world, as it can fuel further attacks and offers no guarantee the data has been deleted. In previous cases, criminals have accepted ransom payments but lied about destroying stolen data, instead keeping it for resale. For example, when the notorious LockBit ransomware group was hacked by the National Crime Agency, police found stolen data had not been deleted even after payments had been made. Instructure said in a statement on its website that protecting students' and education staff data was its primary motivation. "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said. Instructure did not set out the terms of the agreement but said that it meant that: it received "digital confirmation of data destruction" it had been informed that no Instructure customers would be extorted as a result of the incident the agreement covers all affected customers, with no need for individuals to engage with the hackers The breach was discovered on 29th April and was claimed online by the prolific Shiny Hunters extortion group. Neither the hackers nor the company are explicitly saying that money was exchanged, but cyber extortion groups like Shiny Hunters operate by forcing their victims to send money in bitcoin after a negotiation through an encrypted chat service. A ransom note demanding payment in bitcoin appeared on screens during a cyber-hacking incident on the cloud-based platform Canvas. A ransom note demanding payment in bitcoin appeared on screens during a cyber-hacking incident on the cloud-based platform Canva. It is unusual for victims of cyber attacks to publicly acknowledge paying hackers, but Instructure has maintained a high level of transparency, providing regular updates on its website. That openness may be partly because the attack was highly visible and affected students directly. Students sitting exams in the US were particularly badly affected, losing access to Canvas for revision and, in some cases, having online exams interrupted. Aubrey Palmer, a meteorology student at Mississippi State University, told the BBC that they and other students had just finished writing a 2,900‑word exam essay when a ransom message suddenly appeared on their screens. Meteorology student Aubrey Palmer points to a weather diagram on a blackboard with a piece of chalk while smiling and facing a classroom. The note read: "Shiny Hunters has breached Instructure (again)." It threatened to release stolen data unless a ransom was paid in bitcoin by Canvas or affected universities. "My knee‑jerk reaction was that I'd been hacked myself, because that's what it looked like," Aubrey said. "But then I actually read the ransom note and saw it was Canvas that had been hacked." Aubrey added dozens of students received the same message, and there was confusion in the exam room about whether their work had been saved. Mississippi State University later announced some exams would be postponed to allow students to recover any lost work. Shiny Hunters is known for hacking organisations, stealing data and then publicly pressuring victims to pay ransoms in bitcoin. The group has been linked to other breaches, including attacks on Jaguar Land Rover and Gucci. The criminals are English‑speaking and believed to be young. In Telegram messages exchanged with the BBC, Shiny Hunters said it had hacked Canvas twice before last Thursday's attack. Instructure disclosed a breach in September 2025 in a post on its blog. Shiny Hunters has also claimed it breached the company again in April 2026, ahead of the 29 April attack. When asked how it felt about the stress and disruption caused to students like Aubrey Palmer, the group said: "We have no comment on that." It would not say how much it had been paid by Instructure. Have you been affected? Share your experiences here Have you been affected? Share your experiences Joe Tidy looking down at a phone. He has short brown hair and is wearing a light blue shirt. 'You'll never need to work again': Criminals offer reporter money to hack BBC Negotiations have progressed in recent months, according to multiple officials familiar, with the White House optimistic of reaching a deal. Eileen Wang could face up to 10 years in prison following the Department of Justice allegations. The lawsuit comes amid increased scrutiny over platform features like auto-play that deliver endless content to users. While hackers used to sneak into computer systems, intimidation of staff is now more common. A hacking group breached the academic software Canvas, used by thousands of schools and universities across the globe. The warning followed a statement from the JFSC highlighting a scam entity called Sky Dove Finance. The RBI is mulling measures to tackle rising cases of digital fraud in India - but will they work? The site was hit with 142 million requests, redirecting users to south-east Asian gambling" sites.