Instructure, the company behind the Canvas school portal, just paid off the hackers who broke into its systems twice in a single year. On Tuesday, the company admitted it reached an agreement with a cybercrime group called ShinyHunters. These hackers stole a mountain of student and staff data and messed with the school websites of thousands of institutions that use the Canvas software.

The group claimed they grabbed personal info for a total of 275 million people. They said they hit nearly 9,000 schools that use Canvas to manage everything from grades to daily coursework. To pressure the company, the hackers didn’t just sit on the data. Last week, they broke in a second time and defaced Canvas login pages on various school websites to demand their ransom.

The Secret Settlement

Instructure posted an update on its incident page late Monday saying it had a deal. According to the company, the hackers gave them proof that they destroyed the stolen data. Because of this, Instructure says its customers won’t be extorted anymore. While they know you can’t fully trust a criminal, they argued that their customers shouldn’t have to deal with these hackers directly.

We don’t know how much money changed hands. Instructure kept the financial details secret and hasn’t answered more questions about the payoff. However, the listing for Instructure on the ShinyHunters’ leak site vanished on Tuesday, which usually means the check cleared. A representative for the hackers told reporters that the data is “deleted, gone” and they won’t target these customers for payment again.

Playing a Dangerous Game

This move goes against what many governments, including the U.S., tell victims to do. Officials have urged companies for years not to pay ransoms. Paying up makes cybercrime profitable and encourages more attacks. Security experts also point out that you can’t take a hacker’s word for it. Some groups have said they deleted data only to keep it and extort the victims again later.

This isn’t the first time a major education tech company has ended up in this spot. Back in 2024, PowerSchool—which also makes school software—got hit by a breach affecting 70 million people. They paid the hackers to get the data back, but a different crime group later extorted several of their customers using that same data. It shows that once your data is out there, paying a ransom doesn’t guarantee it will ever be safe.

What Was Actually Taken?

The FBI says it is aware of the disruption at schools and colleges across the country. They reminded everyone that victims should “not send payment or respond” to these criminals. The data the ShinyHunters walked away with included names, personal emails, and messages between teachers and students. It also included private and personal info that could be used for identity theft.

Instructure admitted these were two separate breaches in less than a year. They say they are still investigating what happened and checking their findings. It’s still a mystery who is actually in charge of cybersecurity at the company. When asked if CEO Steve Daly would step down after these massive failures, the company had no comment. For now, millions of students and teachers have to hope that a hacker’s promise is worth the price Instructure paid.