Instructure Claims Hackers Destroyed Stolen Data on 275 Million Users—Experts Don't Buy It

Instructure, the education technology company behind the Canvas learning management system, this week announced an agreement with the ShinyHunters extortion group following a breach that attackers claim exposed data tied to roughly 275 million students, teachers, and staff. The company stated it obtained "digital confirmation of data destruction" and assured affected institutions—nearly 9,000 universities and K-12 schools—that no extortion efforts would follow. Security analysts are not convinced.

"Do I believe they deleted the data? No. They're criminals and scumbags," Allan Liska, a threat intelligence analyst at Recorded Future who tracks ransomware and data-leak operations, told The Register. Liska referenced research by Stanford's Max Smeets describing this dynamic as "The Ransomware Trust Paradox"—the expectation that criminal actors will honor commitments they have every incentive to break. The pattern appears consistent: when organizations pay or negotiate for data deletion, evidence that files were actually destroyed remains scarce.

The incident puts immense pressure on the education sector, which has become a high-value target for threat actors due to the depth of personal and institutional data it holds. Beyond the immediate privacy risks for millions of individuals, the breach raises questions about Instructure's security posture and the adequacy of protections for sensitive educational records. Whether ShinyHunters actually relinquished the data or retains copies for future leverage remains unknown. Until independent verification emerges, the affected institutions—and the 275 million people whose information may have been compromised—face continued uncertainty about where that data now resides.