alt.hn

5/12/2026 at 2:56:31 AM

Instructure pays ransom to Canvas hackers

 https://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/11/instructure-pays-ransom-canvas-hackers

by Cider9986

5/12/2026 at 6:25:35 PM

Years ago I attended a conference that had a "fireside chat" with a DoJ official on the topic of these types of ransom payments.

He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.

His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.

Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.

by jawiggins

5/12/2026 at 6:56:39 PM

This is the way to go.

Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.

and the executives who failed to carry regular backups obviously should face the music

by bijowo1676

5/13/2026 at 11:56:00 AM

I still believe in the approach taken by Mel Gibson’s character in “Ransom.”

Offer a reward equal to the ransom amount, to anyone who turns the kidnappers/criminals in to the authorities.

by ninjalanternshk

5/13/2026 at 12:01:17 PM

Good luck when most of the random gangs are in countries that, at best, don’t care about this, and often encourage or support it.

by solumunus

5/13/2026 at 12:16:41 AM

Backups were not Instructure’s problem. Hackers using the threat of exposing private information to extort Instructure’s customers was the problem.

by jstan65536

5/13/2026 at 12:20:10 AM

Equifax and other companies routinely leak customers PII and financial information.

the only outcome I got from their incidents is 1 year free "identity protection service" which I didnt use.

Should be a lesson for Instructure to have proper architecture and do not store PII they dont need in their processes.

by bijowo1676

5/13/2026 at 10:36:20 AM

At least those are mainly going to be adults. In the case of Instructure, there are many K12 school districts using Canvas as well. They are potentially selling lists of underage children along with where they live, and contact info like email and phone number.

These are going to be people with clean credit histories to exploit, and ideal for using as ghost students.

by dessimus

5/13/2026 at 2:01:05 AM

Our PII is leaked all the time. I am fed up with various businesses sending me a free credit monitoring subscription in lieu of actually having proper security controls or damages that incentivize viewing the issue as a serious going concern risk.

Leaks are inevitable, but the current situation is absurd. The liabilities and incentives to do anything about them are virtually nonexistent and security is almost always viewed as a cost.

by Eufrat

5/13/2026 at 3:40:57 AM

Was it really a problem? Yes, voluntary release of that info by a school would normally likely be a FERPA violation, but this was a criminal act against a third party.

Infrastructure’s motivations must have lain elsewhere…

by BobbyTables2

5/13/2026 at 4:09:01 AM

Does that really shield the schools? HIPAA wouldn't care.

by erikerikson

5/13/2026 at 4:51:46 AM

educational LMS should not store real patient health data, so thats the problem of whoever designed that system.

by bijowo1676

5/13/2026 at 5:04:43 AM

The question was whether the same transitive responsibility applies to FERPA, not whether HIPAA data is involved.

by erikerikson

5/12/2026 at 10:59:09 PM

The criminals have better marketing than the disaster recovery vendors.

by axus

5/12/2026 at 8:24:01 PM

Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?

by varispeed

5/12/2026 at 8:55:37 PM

> Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?

No, for the same reason fence manufacturers aren't financing burglers.

by JumpCrisscross

5/12/2026 at 9:04:28 PM

There is enough competition that if word gets out you can move to someone honest. At this size you can't keep a secret.

by bluGill

5/12/2026 at 9:04:37 PM

It may be that the ideal number of ransomware operators is non-zero

by hughes

5/12/2026 at 11:24:20 PM

If they can restore from backups, then there’s no need to pay the ransom in the first place… Ransomware is designed to silently corrupt your backups.

by _vOv_

5/12/2026 at 10:22:29 PM

Who would of thought paying teenagers millions of dollars in crypto was a good idea?

They'll just use it on more exploits, more nonsense. It's a race to the bottom. Sister group, Lapsus$ (parent group ShinyHunters) has published on their website they will pay for inside access to company networks. The group says they don't want data, they just want an avenue.

This is what happens when we keep paying these criminals millions in hard-to-trace crypto.

I do find it all a bit funny though.

by HDBaseT

5/12/2026 at 11:17:00 PM

I suppose it also puts a price on not funding your security department.

by bawolff

5/12/2026 at 7:13:47 PM

How is it not a violation of AML laws to pay a ransom like this? Surely they didn't verify that the recipient (a criminal) isn't sanctioned or associated with sanctioned organizations.

by rsstack

5/12/2026 at 8:01:53 PM

Money laundering is the action of obfuscating the origin of criminal proceeds; victims or clients of criminals do not generally commit money laundering, for example buying drugs is not a form of AML violation regardless of the legality of the purchase itself or the fact that the funds will later be laundered by the traffickers.

KYC is a tool to prevent money laundry and it's typically an obligation of financial institutions. Sending money to an anonymous (to you) recipient is generally not a KYC violation if you are not in the money transmitting business and you aren't doing the payment on behalf of someone else.

There are infinite shades of gray in this topic, of course, but I can't see AML being relevant in this particular case.

by cornholio

5/13/2026 at 1:02:38 AM

I think they mixed up sanctions (and any similar laws w.r.t. legal recipients) with AML laws. The legality of paying sanctioned entities doesn't depend on whether the money was laundered, but they were interested in how people get around the former.

by dataflow

5/12/2026 at 8:09:23 PM

Thank you! That's basically what I was asking.

by rsstack

5/12/2026 at 7:47:20 PM

How exactly would this fall into the purview of AML? As far as sanctions go the burden of proof would be on the government to prove the money went to a sanctioned entity and Instructure isn't a bank subject to KYC requirements.

by hattmall

5/12/2026 at 7:52:49 PM

All my corporate AML training says that not performing some KYC for large payments, directly or through a bank, is a crime in its own even if the recipient isn't sanctioned.

From Claude, maybe it's a little nuanced compared to conservative corporate policies, but doesn't feel very legal: "You can be charged with money laundering (18 USC 1956/1957 in the US, equivalents elsewhere) if you knowingly — or with willful blindness — process proceeds of crime. "I didn't ask" is not a defense if the circumstances were suspicious; deliberately avoiding KYC to preserve deniability is exactly what willful blindness doctrine targets. The recipient doesn't need to be formally sanctioned; the funds just need to be tainted."

by rsstack

5/12/2026 at 7:36:33 PM

Even if it already is, the DoJ can exercise discretion in choosing who to prosecute. There has to be political will to threaten an org who has just suffered from an attack with further consequences if they make a payment.

by jawiggins

5/12/2026 at 9:24:43 PM

Probably not too relevant but off the top of my head, the New Zealand Government's guidance on ransomware payments is that you could technically be fined if you pay a ransom to an entity in a sanctioned country, although it doesn't go into specifics

by spondyl

5/12/2026 at 9:51:05 PM

Is it illegal to pay kidnappers in the united states? I've never heard of this and I can't seem to find anything that says any such law has actually been passed.

by nullocator

5/12/2026 at 9:59:38 PM

It's technically not illegal, but often is. You can't pay terrorist organizations or specially sanctioned orgs. See https://sanctionssearch.ofac.treas.gov

Probably should consult an attorney before paying a ransom (whether for kidnapping or other purposes).

by kenjackson

5/13/2026 at 3:50:01 AM

I’ve been wondering this too.

Extortion and terrorism seem similar in many ways except the latter involves physical harm.

I’d asssume a company paying money to terrorists shouldn’t be acceptable.

It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.

Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.

by BobbyTables2

5/13/2026 at 4:00:36 AM

>It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.

You are paying an extra fee for not testing your own software and infrastructure. It was instead tested by a third party. Be glad it wasn't tested by a nation state actor or someone who wanted to do more harm to your customers than just asking for money.

Ideally they should now secure their infrastructure and take this as a gentle reminder that they should spend more on security.

>Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.

You would hope they would then upgrade the cardboard.

by protocolture

5/13/2026 at 4:06:59 AM

When you frame it like that it sounds like the thieves are doing us a favor. Except it should be heavily fined and jailable for the entire executive team and maybe the board too.

by erikerikson

5/13/2026 at 4:44:38 AM

The thieves are doing us a favor.

And yes, the companies executive should be jailed.

by protocolture

5/13/2026 at 4:48:10 AM

Except those payments are being passed through, are they not?

by erikerikson

5/13/2026 at 5:02:05 AM

Passed through where and how?

by protocolture

5/13/2026 at 5:05:28 AM

Canvas to schools to tax payers

by erikerikson

5/13/2026 at 5:38:30 AM

Ah yep, well they might pass on as much of the cost as they can to their customers, but it still costs them in lost customers/prestige etc.

by protocolture

5/13/2026 at 1:25:36 AM

The issue is that anything a hacker can do publicly a state actor can do silently.

Its a boon to both the company and the country when a hacker makes a big public deal out of it. Because they get the chance to repair something before its intentional damaging misuse by a hostile state actor.

The hackers here deserve every cent plus possibly more.

And theres always the problem that the hackers would still get paid, they just wont report the payments making tracking difficult.

by protocolture

5/12/2026 at 6:48:27 PM

Thank goodness that no kidnapping of an American has ever happened since.

by nathanmills

5/12/2026 at 7:14:06 PM

It is illegal to commit a crime. So no crimes will be committed. Duh.

by Geof25

5/12/2026 at 6:51:43 PM

That's the magic of Laws!

by eviks

5/12/2026 at 8:15:23 PM

Hmm, there was once fraud so I guess we should repeal any prohibitions on fraud, huh? Same for murder.

by JumpCrisscross

5/12/2026 at 8:47:27 PM

Calm down, extremist. There's a difference between someone doing something vs someone paying someone else to stop doing something. If the latter were truly bad then the same should be applied to people handing over their wallet to muggers. The only difference in that scenario and the above is saving yourself vs saving a family member. Would you really deny people the ability to save their loved ones?

by nathanmills

5/12/2026 at 8:55:03 PM

> then the same should be applied to people handing over their wallet to muggers

Not really. Muggings are both more common and less traumatic than kidnappings. This is reflected in the fact that common and maximum sentences for kidnappings are universally more extreme than those for muggings.

> Would you really deny people the ability to save their loved ones?

...yes. Because it means significantly fewer kidnappings. "Deny people the ability to save their loved ones" is tantamount to "help others to lose their own."

by JumpCrisscross

5/12/2026 at 9:13:22 PM

And where does ransomware fall on that trauma scale? The maximum sentence is less than mugging after all..

by nathanmills

5/12/2026 at 9:34:11 PM

> does ransomware fall on that trauma scale?

Idk. That’s a step (sentencing guidelines) after we decide it should be criminalized.

> The maximum sentence is less than mugging after all..

They’re in the same ballpark, 2 to 6 years or so.

by JumpCrisscross

5/12/2026 at 9:41:12 PM

> That’s a step (sentencing guidelines) after we decide it should be criminalized.

You decide it should be criminalized before you identify any harms?

> They’re in the same ballpark, 2 to 6 years or so.

You can just look it up. Maximum sentence for mugging is 30 years, ransomware is 20.

by nathanmills

5/12/2026 at 9:48:39 PM

> You decide it should be criminalized before you identify any harms?

No. We have a measure of the harms. We haven’t balanced them for sentencing. Again, deciding something should be illegal doesn’t require obsessing over the sentence ex ante.

> Maximum sentence for mugging is 30 years

Not the norm, either for maximums [1] or usual sentences.

[1] https://en.wikipedia.org/wiki/Robbery_laws_in_the_United_Sta...

by JumpCrisscross

5/12/2026 at 7:18:44 PM

Isn't there still incentive because the data itself is valuable so attacks would continue?

by phone_book

5/12/2026 at 7:39:40 PM

Maybe, but it’s harder to profit from it. A firm may be reputationally damaged, but what’s the incentive to cause that damage?

I think the Bloomberg Odd Lots guy wrote a blog post on this: you could attempt to short the stock but a) this leaves a paper trail b) the market might not know about the breach or believe you if you post you’ve done it. IIRC some hackers have tried to tell companies that they are legally required to disclose the breach to their shareholders to force market movements.

by jawiggins

5/12/2026 at 11:19:47 PM

If there was a way to profit from the data that was more than the ransom, wouldn't they just do that instead of asking for a ransome.

Or do both i suppose, just because someone pays a ransome there is no garuntee the hacker destroys the data.

by bawolff

5/12/2026 at 9:09:41 PM

How much value is in the data. It is embarrassing if some kid gets a D in class, and shouldn't be public - but most of the people who care already know or have ways to find out.

by bluGill

5/12/2026 at 8:18:17 PM

Not sure sanctions are a relevant reason not to pay here. We don’t know where everyone involved with ShinyHunters is located, but those arrested in the past have been American and French.

by rafram

5/12/2026 at 9:08:00 PM

Americans and French (and most other "first world") countries will investigate and arrest anyone involved. It doesn't matter if foreigners are the only victim, most countries do not want their citizens involved with this and will send anyone caught to whatever country was affects for criminal prosecution.

Russia, and North Korea are the main names that come up as exceptions, they will protect their own people.

by bluGill

5/13/2026 at 9:30:20 AM

This is doubtful.

Americans are more kidnapped globally when we look at a equal distribution of population (i.e. in the same pool in a generic country, Americans are more likely to be kidnapped (according to the James Foley Foundation).

Europeans are more likely targets in Africa due to our presence there (mostly NGOs).

The differences will be statistical, not motivated by a no-pay policy.

by BrandoElFollito

5/12/2026 at 8:02:45 PM

Not that I disagree but it also incentives attackers to steal and resell data to other nefarious actors.

After all a lot of the data companies have isn't their own, it's their customers. They are the ones who suffer because businesses don't bother securing their crap.

by gustavus

5/12/2026 at 11:36:21 PM

[dead]

by aaron695

5/12/2026 at 5:21:27 PM

on one hand, every ransom paid encourages like-minded individuals to start or ramp up their ransomware game , which is not great.

on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).

the dynamics/economics around ransomware is fascinating.

by john_strinlai

5/12/2026 at 5:35:58 PM

This is always the game theory of ransoms, and it is a classic example of a collective action problem (and is a form of a prisoner's dilemma).

Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.

This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.

https://en.wikipedia.org/wiki/Collective_action_problem

https://en.wikipedia.org/wiki/Prisoner%27s_dilemma

by cortesoft

5/12/2026 at 6:00:30 PM

> Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.

You're then a target known to be vulnerable and pay ransoms, so best focus on security.

by Ysx

5/12/2026 at 6:05:27 PM

If you have to pay, at least try to negotiate 1) a guarantee that the hackers won't just do it again sometime later, and 2) full disclosure / assistance in repairing your vulnerabilities so you have some kind of head start for the future. Outside of politically motivated hackers, this would probably be reasonably successful.

by sgc

5/12/2026 at 7:20:02 PM

What possible type of guarantee could one ever hope to "negotiate" with someone who has just successfully blackmailed/ransomed/extorted?

by LgWoodenBadger

5/12/2026 at 10:16:32 PM

If the ransomware operator believes that breaking their word might make it harder to get money out of future victims, they'll keep their word.

They might not believe that, but if you're at the point where you're paying anyway, you might as well try to get that commitment from them.

by kelnos

5/12/2026 at 7:50:52 PM

We are in the context of already having to pay. You are at their mercy no matter what, so the only value of any interaction with them is based on hoping they have incentive to maintain their promises to protect their reputation etc.

It's not a good situation to be in, but still, try to make the best of it.

by sgc

5/12/2026 at 6:19:12 PM

Other hacking groups now know Instructure pays up.

by Symbiote

5/12/2026 at 6:02:05 PM

There’s a similar dynamic from within the hacker group itself. For the ransom group, it is better for them to be perceived as trustworthy. Pay the ransom and we won’t leak your data.

For any individual within the ransom group, they can get a big payout by selling the data.

by janalsncm

5/12/2026 at 6:08:32 PM

Depends on what they actually got. Names and email addresses? Considered public and are not so valuable. Universities usually publish those in a directory anyway.

Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.

Grades? Could be a FERPA violation.

Critical PII such as SSNs? Probably not in the LMS to begin with.

by SoftTalker

5/12/2026 at 6:21:05 PM

SSNs have been used as student IDs by particularly stupid educational institutions. The 'nice' thing about getting SSNs from students is the likelihood they'll live for a long time after the breach and thus be subject to identity theft for many years to come.

by browsingonly

5/12/2026 at 6:24:41 PM

This was common years (decades, really) ago but I'd be surprised if any university today was still doing that. I guess there could still be some....

by SoftTalker

5/12/2026 at 10:17:58 PM

My university stopped putting SSNs on student IDs more than 25 years ago. I'd be surprised if there are many who still do that.

Though I wouldn't be surprised if some 40 year old university IT system requires its use as an identifier, regardless of whether or not it gets printed anywhere.

by kelnos

5/12/2026 at 6:56:19 PM

I have trouble imagining that a ransomware group would care about a regulation like FERPA when they've already done something criminal that would more than enough for prosecution if they got caught.

by saghm

5/12/2026 at 9:12:53 PM

Those laws reduce the value though - "honest" people who are interested in such data won't be interested it from ransomware because they need to have legally obtained data. That is there are a lot of "honest but shady" uses of this data that are stopped by these laws.

by bluGill

5/12/2026 at 7:56:27 PM

I didn't mean that the ransomware group would care... but if they got grades, that might command a higher ransom than if they just had names and emails and other non-very-sensitive stuff.

by SoftTalker

5/12/2026 at 6:45:16 PM

I just spoke with a K-12 teacher I know, and she confirmed SSNs in the Canvas instance.

Yikes.

by Mezzie

5/12/2026 at 6:59:53 PM

Wow. A lot of K-12 students probably don't even know their own SSN off the top of their head, much less understand the impact of having it stored in this way. I can't fathom why it would be necessary for the SSN to be tracked by the school. At most, the school district as a whole might want a record so they could make sure kids are getting schooled but putting that into Canvas doesn't make any sense to me.

by saghm

5/12/2026 at 7:09:39 PM

Agreed, seems wild to me that anyone in 2026 is using SSN as an identifier in a system that's not doing some kind of tax reporting. It's kryptonite for any other purpose.

by SoftTalker

5/12/2026 at 7:16:25 PM

Oh, it's insane and I recoiled when she mentioned that.

But it is 100% happening.

People do amazingly stupid things with systems, especially when they don't have enough people with the expertise to set them up properly, so they just throw things in there without stopping to think about whether or not it's a good idea.

by Mezzie

5/12/2026 at 7:51:32 PM

So, a particular school system decided to add SSN to the student profile? Or Canvas requires it?

by SoftTalker

5/12/2026 at 11:40:50 PM

I'm guessing that Canvas just sort of lets you put in whatever data you want, and someone evidently decided that putting the student's SSNs in there made sense...

by saghm

5/12/2026 at 8:40:21 PM

It's not required. I don't know precisely what her district is doing or why - I don't work there But she unprompted brought up that a lot of the minors' PII was in there including SSNs.

by Mezzie

5/12/2026 at 8:48:34 PM

It would be nice if system owners stopped thinking "we'll just ask for all the info in case we need it" and instead "we might get sued (or ransomed, or both) because we are collecting this."

by SoftTalker

5/13/2026 at 12:22:18 AM

That is a big yikes, but definitely not the norm. Most school districts switched from using SSN as their SIS identifier decades ago.

by zwily

5/12/2026 at 7:38:38 PM

They already have your SSN, as does anyone else who wants it.

by LastTrain

5/12/2026 at 8:40:48 PM

True. It's more yikes about what this says about the technical knowledge in that school.

by Mezzie

5/12/2026 at 6:07:38 PM

I don’t know if that’s really true. Nobody would really give a shit if you leaked where everyone goes to college… because it’s already on their LinkedIn or whatever.

The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.

by MagicMoonlight

5/12/2026 at 11:39:35 PM

It really isn't as simple as that.

You are leaking email addresses that likely otherwise wouldn't be out there publicly. Whilst email addresses and names are "effectively" public, they aren't just in a one big database anyone on the planet can access.

Every single one of those email addresses will receive increased spam and phishing attempts, with more isolated information (such as School, First+Last Name, Subjects, Teachers/Lecturers, etc) the phishing attempts can be more refined.

i.e, Student receives an email that looks like its from their school (has email footer, has student name, has relevant teacher name, subject name, etc), the user is now more likely to click some sketchy link.

These little identifiers add up, especially when cross-references with other leaks. Even more problematic when most of the users wrapped up in a leak like this are under 18 too.

A lot of this stuff could be done previously, although the effort and scale to do so would of been higher/harder.

by HDBaseT

5/12/2026 at 6:28:33 PM

> For the ransom group, it is better for them to be perceived as trustworthy.

They've already proved themselves to be untrustworthy simply by ransoming you in the first place.

by bradyd

5/12/2026 at 7:06:36 PM

No, they're proven themselves to be malicious. That's not the same thing at all.

by Ancapistani

5/12/2026 at 5:39:54 PM

You can also have the "excessive force" doctrine, where holding someone or something for ransom results in your entire country being a smoldering crater.

But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.

by bombcar

5/13/2026 at 2:00:10 AM

Why don't someone pretend to be ransom hacker, take the money, and release the hacked data anyway?

This will progress the game theory to the point where nobody will pay ransom because the thieves won't honor the deals anyway.

by ergocoder

5/13/2026 at 1:36:09 AM

>but everyone would be better off if no one paid a ransom.

I doubt if everyone would be better off if state level actors found and used these vulnerabilities instead of ransom seekers.

by protocolture

5/12/2026 at 6:22:19 PM

And that’s exactly why the incidence of kidnapping plummeted in Italy once ransom payments were made illegal

by BennyH26

5/12/2026 at 6:27:36 PM

How does that work? I.e. say a kidnapping occurs and the ransom is paid. What kind of trouble does the paying party get into? A fine? Jail?

by latexr

5/12/2026 at 11:37:15 PM

A fine or sentence is probably on the books but it never comes to that. The main thing is to freeze the family's assets, and more importantly to publicize this procedure so the mafia or whoever knows there's no point in threatening the family.

by jasonfarnon

5/12/2026 at 9:16:48 PM

So long as the potential payer knows they will get something they are going to slow down. They might pay, but suddenly becomes harder because they have to hide what they are doing. Many won't figure out how to pay.

The real value though is enough people consider themselves honest and won't do anything they know is illegal. They already hate dealing with criminals, but so long as paying is legal they might do it, but as soon as it affects their moral code they won't. The whole system collapses because just a few people saying no to paying means the kidnappers lose money on too many operations.

by bluGill

5/13/2026 at 9:38:40 AM

I understand the mechanism and the point of making it illegal, that’s not the question.

What I want to know is what exactly are the lawful repercussions for the person who paid.

by latexr

5/12/2026 at 5:39:31 PM

... except that "policies" don't cut it. Criminal penalties for paying are what you need, and not just for payments to specific designated entities, either. The executive making the decision to pay has to have a real fear of personally spending time in actual prison.

by Hizonner

5/12/2026 at 5:59:23 PM

US law has criminal penalties for paying a ransom to a designated criminal terrorist organization or under treasury sanctions.

by gnopgnip

5/12/2026 at 6:17:26 PM

Most hacking groups don't fall under that. Some, sure.

by esseph

5/12/2026 at 8:15:04 PM

A criminal penalty is a form of policy

by cortesoft

5/13/2026 at 1:51:01 AM

... but not the form of policy they actually have.

Except for payments to specifically sanctioned organizations, the policy is "we'd really rather you didn't do that, but whatever".

The specific sanctions don't cover most of the groups, either, and even when they do cover the group who got paid, you can't necessarily prove the people who got paid were the ones on the list. And there may be a scienter requirement even then; I don't know.

Making a list of specific criminals you can't pay is just stupid. No ransoms, ever, period, or it's da slammah.

by Hizonner

5/12/2026 at 7:37:17 PM

There's one more piece that matters.

If no one pays the ransoms, but people believe that large ransoms are paid-- you still have the crime.

by mlyle

5/12/2026 at 8:34:43 PM

The obverse is true - because a ransom organization is dependent upon their reputation, a company claiming to have paid and received confirmation from the group could prevent them from releasing it as well.

The general public (including the next victims) don't have a way to confirm if payment was made. ShinyHunters would have to choose between arguing publicly that they were not paid or not releasing the data to protect their own reputation...

by Ancapistani

5/12/2026 at 8:40:54 PM

Good/funny observation. Game theory and economics are fun. :D

I do think that the partial information problem relating to new entrants into this market is interesting though.

The number of potential threat actors with partial/no information but that might speculate based on grandiose visions of ransom or outdated history is high.

We see dumb attempts at real-world ransoms/extortion which don't get paid at a pretty high clip based on this kind of partial knowledge.

by mlyle

5/12/2026 at 11:42:41 PM

It's an interesting idea, although I think in the heat of the moment, the last thing your org should be thinking of will be playing games with one of the most prolific hacker groups on the planet.

You'll probably get your data leaked anyways, potentially get compromised again (see Instructure situation) and end up in a way worse place if you just shut up and paid it, or let it leak normally.

by HDBaseT

5/12/2026 at 5:51:24 PM

While the us stance has resulted in savings on potential ransom, it has also lead to people being kept in prison for very long time until prisoner exchanges might be worked out. That cost to an individuals life being imprisoned is probably far in excess whatever the US might pay. Plus the US prints its own monopoly money and doesn’t really play by the rules of economics anyhow ever since getting off gold standard.

by kjkjadksj

5/12/2026 at 8:19:08 PM

This is literally the exact point I am making, and the US policy isn’t about saving money.

Like you said (and like I said in my post), for an individual kidnap victim, the best option would be to pay the ransom. It is better to pay the money and be free.

However, that means a kidnap group now has more money, which will make them better able to kidnap another victim and demand more money.

The point of a “no ransom” policy is that it takes the choice away from the individual, who would choose to pay it, and changes the game theory to make kidnapping not worth it.

The whole reason you need a policy at all is BECAUSE it is better for the person to pay the ransom.

by cortesoft

5/12/2026 at 6:01:13 PM

That ransoms today are denominated in USD and that the US might be printing too many USD has nothing to do with whether or not ransoms should be paid.

The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.

This is just way of avoiding the core issue by blaming something unrelated that you don't like.

A: U should clean your room, it would be better for you & the rest of your family

B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!

by appreciatorBus

5/12/2026 at 5:55:58 PM

Cash is not the real cost; the cost is by agreeing to continue printing ransom money, you cause more individuals to be kidnapped.

by WillPostForFood

5/12/2026 at 5:42:43 PM

I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.

The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.

by AlotOfReading

5/12/2026 at 6:06:39 PM

> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.

It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.

by applfanboysbgon

5/12/2026 at 7:09:16 PM

Agreed.

This is the same problem that crypto addresses in an unregulated market - it provides attestation and continuity, but not much else.

New actors are untrusted. Trust must be built through small transactions until someone trusts you enough for larger transactions. Survive long enough without major reputational harm and you can even offer to act as an escrow service for parties with less trust.

by Ancapistani

5/12/2026 at 6:01:54 PM

The name ShinyHunters is currently quite well-known due to a number of high-profile hacks (Odido in the Netherlands this year was huge). Their brand has a significant value right now.

by Freak_NL

5/12/2026 at 11:41:02 PM

How does everyone know its ShinyHunters and not someone pretending? I imagine they have some mechanism to authenticate, I'm curious what it is.

by jasonfarnon

5/12/2026 at 11:50:02 PM

Because ShinyHunters published they hacked Canvas on their own website. They also redirected the canvas login pages to a ShinyHunters message, whilst this could be done by another group/person, its unlikely.

You can also validate PGP keys and TOX accounts, etc via their website.

by HDBaseT

5/13/2026 at 5:26:25 AM

OK, I didn't realize they had a stable website all this time. I guess it's all out there in the open with these groups.

by jasonfarnon

5/12/2026 at 5:46:34 PM

Yeah but fewer ransomes would be paid out regardless of who is attacking. They could be spoiling their own market and am sure they would

by onemoresoop

5/12/2026 at 5:55:21 PM

That's a motivation to avoid tragedy of the commons, not because they're trying to maintain their own reputation to victims. It benefits the criminals even if they change their name.

by AlotOfReading

5/12/2026 at 6:19:08 PM

> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time.

Reputation is everything in a collective.

by esseph

5/12/2026 at 5:38:48 PM

If we assume a world where ransomware is continually existent and all your data is ransomed at anytime, we'd have a world designed to work around that.

We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.

by bombcar

5/12/2026 at 6:50:20 PM

I think you may have re-invented email reputation.

by zbentley

5/12/2026 at 6:17:49 PM

An idea I idly thought about is that of a "Benevolent Terrorist"[0]: one who does great harm to some number of people so that they may make it to a better world. Not entirely original, I suppose, since the Kwisatz Haderach from Dune is the trope definer. But a fun thought I had was what if you ran a ransomware company that just didn't pay? You'd screw a lot of people over but eventually you'd make ransomware a non-business the better you impersonated them and failed to deliver after taking the ransom.

What could go wrong? ;)

0: https://wiki.roshangeorge.dev/w/Benevolent_Terrorist#Poisoni...

by arjie

5/12/2026 at 6:17:14 PM

What stops a ransomware group copying all data and just selling it piecemeal on the darknet under posibly a different name?

Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile

by joseda-hg

5/12/2026 at 6:09:50 PM

Another way to view this calculation: if you keep your infrastructure secure and up to date, you (very likely) don't have to pay any ransom in the first place.

by ashleyn

5/12/2026 at 6:19:15 PM

There is a line where the ransom price beats the capex of keeping a secure system, specially when the risk so nebulous

Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally

by joseda-hg

5/13/2026 at 12:20:14 AM

Paying a ransom should always be illegal with federal criminal charges for the employees who authorize the payment. If businesses are destroyed or people die as a consequence then those are acceptable casualties.

by nradov

5/12/2026 at 7:36:41 PM

That operates on the idea that hacker organizations use long term strategic thinking, something the US government and a good number of corporations don’t even practice. I wouldn’t put my money on that.

by LastTrain

5/12/2026 at 8:03:44 PM

while i am not about to bet the farm on the long-term strategic thinking ability of extortion groups, they are much smaller than most corporations and the US government, thus its much easier to think strategically and execute on longer-term goals.

shinyhunters, for example, has been active and acted as a cohesive unit for the past 7 years.

by john_strinlai

5/12/2026 at 5:53:43 PM

> on the other hand, the ransomware groups that want to stay in business need to be honest

I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.

by esaym

5/12/2026 at 7:31:18 PM

one issue is that modern ransomeware groups are also being hunted themselves - there are many ransomeware orgs that are themselves being ransomed so are not reliable.

even if you pay the ransom to the 1st group, the 2nd group will leak.

by barkingcat

5/12/2026 at 6:01:18 PM

So, maybe we could consider a "White Hat" ransomware group that takes the money and also leaks the data, so that long term no one bothers to pay which ultimately disincentivizes ransomware attacks?

by patrickthebold

5/12/2026 at 5:06:28 PM

LOL that's some super heavy duty optics framing on what basically amounts to "we paid out a ransom but don't worry the bad guys assured us things were okay"

by ookblah

5/12/2026 at 6:07:55 PM

They said “received digital confirmation of data destruction (shred logs)” - is this supposed to fool users into thinking the hackers didn’t keep any of the data?

by aetch

5/12/2026 at 7:42:16 PM

The criminals did not share the logs of them making a copy of the data before shredding it; so obviously that didn't happen.

by linksnapzz

5/12/2026 at 5:18:44 PM

I thought it was illegal to pay ransom to hackers. I guess it is legal or maybe it isn't very clear? I thought that there were certain conditions that the company had to check together with law enforcement so that at least the ransom money doesn't go to a hacker group that is on a government payments sanctions list.

Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".

by layman51

5/12/2026 at 5:30:58 PM

Not only is it not illegal, there are insurance policies set up to take care of this very scenario. It's almost always handled by a third party, not the company themselves, that would deal with any such concerns.

by JohnMakin

5/12/2026 at 5:37:58 PM

It is illegal to pay terrorists. As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group. If they did, would they be able to send in SEAL Team 6 to handle the hackers?

by dylan604

5/12/2026 at 6:04:43 PM

> As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group.

If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.

by Scoundreller

5/12/2026 at 8:03:16 PM

the people who do "AML checks" are the ones processing the transaction.

i don't do that every time i want to send money. private individuals don't just "run checks" - it would make commerce untenable and possibly unconstitutional.

say you get a passport, an address, a photo, a signature, a phone call - how do you verify any of this is real?

by abigail95

5/12/2026 at 6:51:53 PM

Cryptocurrency mitigates most of those concerns. That's why the flourishing of crypto payment systems has been an unalloyed blessing for cybercriminals.

by zbentley

5/12/2026 at 9:20:28 PM

No it does not. It makes some things harder and some things easier. The public ledger means you can track where then money flowed - you might not know who had it but you know how it flows which is interesting. I don't know if it has happened, but I've heard of proposals to make any bitcoin the traces to some transaction illegal to have, and that means nobody who might get caught will have anything to do with those.

by bluGill

5/12/2026 at 7:41:33 PM

It can at a technical level but not at a legal level.

Your BigCo accounting department is not going to be very understanding about acquiring cryptocurrency to send to ??? for a ransom.

by Scoundreller

5/12/2026 at 8:44:13 PM

Isn't this why in other comments people have said that companies use third parties to pay the ransom rather than paying directly?

by dylan604

5/12/2026 at 9:31:03 PM

That’s my theory too. Setting up payments to a new vendor is hard enough even for the most legitimate.

An org’s Net30 terms aren’t going to work here…

by Scoundreller

5/12/2026 at 5:56:10 PM

If they were in Iran a drone would’ve paid a visit, based on current events. Most of them are in Russia or former Eastern Bloc like Belarus. USA and the west doesn’t want a direct conflict so the drones never pay them a visit.

Instead, they trick the hackers into going on a vacation in a country that will let them grab them.

by wil421

5/12/2026 at 6:17:24 PM

A large percentage of hacking groups are state sponsored Russians. That seal response would be starting WW3 over some pii.

Protecting pii is important, but it's not that important

by amarant

5/12/2026 at 6:24:51 PM

we started the pretext to WW3 over someone wanting to move the focus of attention, so it's really not that much of a stretch.

by dylan604

5/12/2026 at 8:03:21 PM

Aye, I meant more in the sense of "it would be a bad idea", than "that's definitely not going to happen".

Predictions are hard, especially about the future!

by amarant

5/12/2026 at 6:43:46 PM

Man, I don’t remember Putin wanting to move the focus of attention that bad.

by altcognito

5/12/2026 at 6:08:37 PM

Iran, Russia and North Korea are the biggest sources of ransomware.

by MagicMoonlight

5/12/2026 at 5:57:51 PM

The cyber terrorist groups North Korean Lazarus Group and Russian groups like APT28 (Fancy Bear) are on the US SDN list, among others.

by fragmede

5/12/2026 at 5:55:39 PM

Search “cyber jihad” and “cyber islamic state” if you’re curious for answers.

by peyton

5/12/2026 at 6:18:48 PM

It often is illegal to pay them. They are often on sanctions lists, or indeed in embargoed countries. And it's just generally not allowed to pay unidentifiable parties for basic anti-money laundering reasons. And a lot of countries are bringing in new legislation to make paying illegal, starting with public sector organisations. I'm sure that will only expand.

Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.

by calpaterson

5/12/2026 at 6:28:12 PM

I don't know where you are getting your information from. For one, it's very often unknown, by virtue of how these groups operate, where they are from or who they are affiliated with in the first place. For two, as I stated, it is such common practice to pay ransoms that there are insurance policies specifically for doing so, it's very common to purchase these as part of a SOP of a company's security policy. A business is required, often by the board/shareholders, to maintain business continuity, which is why these exist.

For three, by the FBI's own source, they don't mention anything about it being illegal, they merely advise against doing so[0] -

> The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.

I am not saying I support paying ransoms, or take any position here, I am just saying quite factually it is an extremely common practice to pay these, often via third parties that take care of any potential legality issues (which I am not aware of being super common at all, and if you are being targeted by a nation state on a sanctions list, you probably are well aware and have your own legal team/police liasons to deal with any such issues). Most ransomware attacks come from small, unknown groups.

[0] https://www.fbi.gov/how-we-can-help-you/scams-and-safety/com...

by JohnMakin

5/12/2026 at 5:35:25 PM

If the bad guys get paid and release the info anyway, they not only make it less likely they'll get paid in the future, they make it less likely anyone will get paid in the future.

Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.

by stavros

5/12/2026 at 5:54:09 PM

Why not wait a week and take the site down and ransom them again?

by kjkjadksj

5/13/2026 at 8:34:37 AM

for the same reasons?

by shlant

5/12/2026 at 5:55:25 PM

Because why would anyone pay anyone if they were going to do what they threatened you with anyway?

by stavros

5/12/2026 at 6:08:07 PM

> We received digital confirmation of data destruction (shred logs).

This is shockingly naive

by terminalbraid

5/12/2026 at 7:35:36 PM

I imagine they are not naive, they're counting on their clients being naive.

by j-bos

5/13/2026 at 12:59:29 AM

Hackers have an incentive to destroy the data as promised, because if it becomes a trend where the data is leaked despite the ransom being paid, no one would pay ransoms in the future.

Obviously this doesn't stop hackers from selling the data anyway and say "it wasn't us, someone else got the same data through a different hack".

by omoikane

5/12/2026 at 6:11:39 PM

What's to say they didn't copy the data then shred a copy, or hell even just fabricate some shred logs.

by corvad

5/12/2026 at 6:37:37 PM

In the abstract, it’s hilarious to imagine the hackers keeping the data, then some time from now leaking it accidentally (or another hacker group hacks them) then them having to issue a public apology for not having kept the stolen data secure and having lied about shredding it.

by latexr

5/12/2026 at 7:37:17 PM

However, they could use it as a last resort or as a final "gift" before getting arrested or switching identities.

They might be considered "trustworthy" right now to get companies to pay them money, but no one will know what will happen in a few years when this strategy won't work anymore.

Anyway, I hope this doesn't come at all, or as late as possible.

by eaf7e281

5/12/2026 at 8:27:41 PM

> but no one will know what will happen in a few years when this strategy won't work anymore.

Good point.

> Anyway, I hope this doesn't come at all, or as late as possible.

Same. As I said, I find the idea funny in the abstract, if it didn’t affect anyone or if it were a TV show, for example. But since it does affect real people…

by latexr

5/12/2026 at 6:51:07 PM

Gotta hope that's just a PR attempt to try to save face. Though I wish companies would stop claiming it.

by Groxx

5/12/2026 at 2:41:43 AM

>The data was returned to us.

It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.

This is bullish on Monero[2]. The January pump may have been from a hack as well[3].

Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].

[1] https://www.youtube.com/watch?v=IeTybKL1pM4

[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...

[3] https://xcancel.com/zachxbt/status/2012212936735912351

[4] https://archive.ph/4zD7f

[5] https://archive.ph/NYWbJ

by Cider9986

5/12/2026 at 5:13:47 PM

I guess the incentive is for the hackers to not leak, so they can get away with the next ransom.

by avaer

5/12/2026 at 9:34:54 PM

This is a good time to point out that when there is a data breach, data is rarely stolen. The real threat and harm is when data that is stolen is used against you.

by mbesto

5/12/2026 at 6:03:23 PM

> You wouldn't "return" data unless it was encrypted or the originals were deleted

The very next line from what you quoted:

> We received digital confirmation of data destruction (shred logs).

Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".

by embedding-shape

5/12/2026 at 5:55:34 PM

A good infotech public service project would be to maintain a public list of organizations that have succumbed to ransom demands, so that we can choose to take our business elsewhere. It would also be an act of bravery though in the face of potential liability for libel. I doubt disclaimers would evade much of that.

by delichon

5/12/2026 at 5:58:22 PM

So you would rather take your business to somewhere that got hacked, didn't pay the ransom, and got customer data leaked?

by pretzel5297

5/12/2026 at 6:00:36 PM

Yes, particularly if they are transparent about it.

by delichon

5/12/2026 at 6:33:48 PM

Yeah, sorry. I don't believe you :)

by pretzel5297

5/12/2026 at 6:03:11 PM

The customer data is already leaked, unless your threat model somehow includes trusting threat actors to keep said data confidential in perpetuity.

by tadfisher

5/12/2026 at 6:13:29 PM

ShinyHunters has a vested financial stake in not leaking the customer data. If they did, nobody would ever pay a ransom to them again. I trust ShinyHunters to look out for themselves continuing to get paid.

by applfanboysbgon

5/12/2026 at 6:27:53 PM

Sure. Do you trust every member of ShinyHunters to remain a member of ShinyHunters in good standing, and to resist the temptation to exfiltrate the data in the process of exiting ShinyHunters?

by tadfisher

5/12/2026 at 7:18:43 PM

I would expect ShinyHunters to understand that traitors pose an existential threat to the group and to take measures to prevent a lone wolf from selling them out easily. That they have existed for 7 years already indicates they are probably not so amateur as to allow any individual member to walk off with data that would compromise their operation.

by applfanboysbgon

5/12/2026 at 7:55:28 PM

This is a really silly take. Instructure also had a financial incentive not to get hacked. And yet…

by skywhopper

5/12/2026 at 8:05:24 PM

No, it actually doesn't, which is the problem. The market has shown that there are no financial consequences to any company that gets hacked. Instructure could have just as well not paid the ransom, as many companies don't, and continued to be fine. Even if they do pay the ransom, it is likely that it is less than it would have costed them to engineer secure systems, so even if you take paying ransoms as necessary market incentives still steer you to ignoring security.

by applfanboysbgon

5/12/2026 at 6:08:53 PM

If you believe the hackers didn’t keep a copy of the data, you’re the target market.

by aetch

5/12/2026 at 6:02:26 PM

Both of them got hacked so... yes.

by jsLavaGoat

5/12/2026 at 6:40:01 PM

Theoretically, if it happened before and the ransom wasn’t paid, there’s both an incentive by the service to improve their security practices and a disincentive on the hackers to target that business.

by latexr

5/12/2026 at 6:28:21 PM

I wonder if, longer term, we're better off if a company like this were in some way destroyed as a result of getting hacked and paying a bribe.

I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.

by Waterluvian

5/12/2026 at 7:00:18 PM

I've never seen a company blame a data breach as the point where they started going bankrupt.

Customers never migrate on mass after a breach, 7000 underfunded and overworked education institutions are not migrating on mass.

So I feel safe to say there's no lasting impact to a company when a data breach occurs.

This will all be forgotten in a few months.

by cube00

5/12/2026 at 8:38:02 PM

To be fair, I don't think I've ever seen a company identify the inflection point after bankruptcy, accurately or not.

by Ancapistani

5/13/2026 at 9:50:20 AM

Probably, but without government regulation to make ruinous fines for allowing your data to be breached, the thought experiment is moot.

by LadyCailin

5/12/2026 at 6:08:25 PM

I suspected as much as it disappeared from the ShinnyHunters page and it recovered so fast. The main thing I'm interested in knowing was how much was paid. Also I don't really like their statement that the data is safe or destroyed, those promises seem a little questionable with regards to these incidents.

by corvad

5/12/2026 at 6:52:56 PM

How does things like this work in terms of bookkeeping? How do they label the expense? Can a company send huge amounts of money to an unknown crypto account without needing to explain anything to the tax authorities?

by yoavm

5/12/2026 at 7:37:31 PM

It's the insurance company paying the ransom and I assume they tie the payment to the insurance policy they are fulfilling, I don't know what the tax implications would be, I am not in finance or an accountant

by mewse-hn

5/12/2026 at 7:41:00 PM

“Data recovery”?

by acomjean

5/13/2026 at 10:49:08 AM

Stop funding cyberterrorism.

>the deal means that the hackers have returned the compromised data of some 275 million users across more than 8,800 institutions.

Yea sure, they didn't keep the copy of stolen database. You know, criminals are very trustworthy people.

by mrkramer

5/12/2026 at 6:35:41 PM

Being that this is HN, do we know how they got hacked? Can we learn something about protecting our services?

by evantahler

5/12/2026 at 6:54:55 PM

We’re currently working to identify a robust list of Indicators of Compromise (IOCs) and will make those available to our customers.

https://www.instructure.com/incident_update

It worries me they've only committed to making it available to their customers and not the public.

by cube00

5/12/2026 at 7:10:59 PM

I read online that it has to do with their "Free-For-Teachers accounts" which I assume is a way for teachers to get access to Canvas services for free when their school doesn't subscribe to it.

I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.

by layman51

5/12/2026 at 7:23:05 PM

This blog post[0] suggests that, based on their changelog after the incident, the hackers may have extracted session tokens using XSS in a support ticket. Then the ransom note was displayed using a custom theme.

[0]: https://cyber.acmucsd.com/canvas (disclosure: I was involved with this org when I was a student)

by sheept

5/12/2026 at 11:24:58 PM

Surely if they are demanding a ransome they somehow got server access to delete data. Would seem kind of insane to pay a ransome solely for an XSS.

by bawolff

5/13/2026 at 1:06:02 AM

Everyone's making a lot of good points about game theory and economic motivations, but there is a much more important and self-serving point: when you pay a ransom, hackers come after your shit x10.

Paying a ransom signals 3 things: 1) you are vulnerable to attack 2) you cannot recover from an attack 3) you've got cash

The result is that you get attacked much, much more. You could ask me how I know, but I wouldn't tell you :)

by kryogen1c

5/12/2026 at 6:38:13 PM

I would love to know the amount of ransoms paid by large companies who've been compromised without the public being informed. How much that undisclosed amount impacts inflation and the economy today is not talked about nearly enough, imo.

by sans_souse

5/12/2026 at 6:14:32 PM

> Has law enforcement been engaged? Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.

Hmm. I thought all these agencies say NOT to pay a ransom.

by corvad

5/12/2026 at 9:23:05 PM

Not always. They have been known to give "marked bills" to pay with in the past. A lot can be learned by watching how ransom money moves around (bit coin is very traceable this way). Sometimes paying a ransom is an important part of finding and arresting the guilty.

by bluGill

5/12/2026 at 6:18:04 PM

Engaged != listened to.

by biesnecker

5/12/2026 at 6:02:27 PM

What on earth does "returned the hacked personal data" mean?

by rottencupcakes

5/12/2026 at 6:04:32 PM

I believe attacks like this often include copying data and then deleting it from the victim's servers.

Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.

by yakkomajuri

5/12/2026 at 5:39:05 PM

How is Instructure getting away with paying off the ransomware hackers? Is that still legal in Utah or something?

by Freak_NL

5/12/2026 at 6:16:39 PM

This happens every day, and there doesn't seem to be anything interesting about this case. It's how most situations are resolved. There are money transmitters that specialize in ransoms. They "do" sanctions checks that are about as good as you suspect they are.

Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.

by ibejoeb

5/13/2026 at 5:39:56 AM

Dumb move. You cannot trust that they won't leak it anyway to make additional profit, since they're not accountable except to their made-up name.

by pmarreck

5/12/2026 at 7:10:09 PM

I've seen half a dozen comments in this thread suggesting that paying hacking ransoms should be illegal, but I strongly disagree, for multiple reasons. I'll just make this a top-level comment rather than picking one to reply to.

(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."

(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].

(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.

(3) Making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.

(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.

[1]https://2021-2025.state.gov/briefings/department-press-brief...

by applfanboysbgon

5/13/2026 at 3:54:01 AM

If customers suffer when a company doesn’t pay ransom - that’s a good thing.

Those (now former) customers can the be patrons of a competitor that doesn’t let such happen again.

by BobbyTables2

5/13/2026 at 4:30:49 AM

That's just not reality. Not least of which because competitors are exactly the same when it comes to security. Even if they weren't, security isn't something the market can realistically select for because it's not verifiable from a customer's perspective. A customer can clearly see, say, a price difference or feature difference, but cannot see a security difference in any meaningful sense. This is something that needs to be enforced at a regulatory level, there are many problems the free market cannot solve, and in fact market forces actively incentivize neglecting security.

by applfanboysbgon

5/13/2026 at 12:27:56 AM

The problem is paying ransom to these groups gives teenagers millions of dollars in crypto to spend on more exploits and more insiders.

It is a race to the bottom. The teenagers have effectively unlimited time, millions of dollars and rocket launchers.

by HDBaseT

5/12/2026 at 7:50:33 PM

The moral hazard of companies escaping scrutiny of their poor practices while simultaneously subsidizing the behavior that takes advantage of said poor practices at other companies needs to be addressed.

by linksnapzz

5/12/2026 at 7:48:52 PM

I'm curious about the open source competition (https://github.com/moodle/moodle is my first find, there are likely others) and what they could've made happen with that money if they had received it instead as an investment re: not worrying about future ransomware attacks.

by __MatrixMan__

5/12/2026 at 7:53:07 PM

Canvas itself is also open source (https://github.com/instructure/canvas-lms), which was the big appeal of it originally in a world where Blackboard had a stranglehold on the LMS market.

by skywhopper

5/12/2026 at 8:53:39 PM

Huh, neat! I had just assumed otherwise because everything else my university uses is nine kinds of proprietary.

Like, they recently tried to sell me to McMillian who then tried to sell me the "submit homework" button for $20. I complained and got exempted from having to submit homework, but that's par for the course in edtech right now.

by __MatrixMan__

5/13/2026 at 1:39:01 AM

"The deal with the hackers included the return of stolen data and digital evidence that copies had been deleted, Instructure said."

does "yes, I deleted the data" in an email count as digital evidence?

by TruffleLabs

5/12/2026 at 6:17:23 PM

There shouldn't have been a need to give into hackers, even highly successful hackers. If they're not doing air-gapped backups weekly, that's malpractice and hints at a substandard architecture and/or operations. On a short enough full backup schedule all of Canvas's customers should've been able to recover based on their own copies of assignments and test results. And a policy like that should've been in the SLAs.

In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.

IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.

by Zigurd

5/12/2026 at 6:18:35 PM

Backups do nothing to protect your customers from getting extorted to avoid their data being leaked.

by applfanboysbgon

5/12/2026 at 6:26:11 PM

What extortable content should schools be creating? And if they are it's crazy that they are trusting it to school SaaS.

by Zigurd

5/12/2026 at 6:34:23 PM

Enrollment or courses might not be generally super sensible, but financing/financial data, personal identification like phone numbers and emails, chat logs and such

by joseda-hg

5/12/2026 at 6:32:42 PM

I mean, something as simple as name + grades is extortable. There are plenty of students who would not want their bad grades to be public information, and who would be upset with their school if the school allowed that to be leaked, or who may personally pay an extortion if contacted directly.

I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.

by applfanboysbgon

5/12/2026 at 4:31:54 AM

Given they were hacked multiple times, couldn’t they just be targeted again by the same or different group? Why would it stop here?

by SilverElfin

5/12/2026 at 5:32:29 PM

The same group has a reputation to uphold (i.e., that of 'honourable' criminals), so they just move on to the next target, who will, incidentally, know that they are absolutely true to their word. (This is why paying off ransomware hackers is being made illegal in a number of countries.)

A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.

by Freak_NL

5/12/2026 at 5:51:55 PM

So they hacker group could create an unregistered subsidiary and hack some more?

by felooboolooomba

5/12/2026 at 6:06:19 PM

Sure. In all likelihood ShinyHunters will 'gracefully' point out the weak spots leveraged in the system of the 'customer' upon receiving payment to prevent this happening again next week.

They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.

by Freak_NL

5/12/2026 at 6:06:07 PM

They could but also why would they?

They can always just hack them again but with a different method this time.

The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.

As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.

Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.

They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.

by OneDeuxTriSeiGo

5/12/2026 at 6:55:45 PM

If you squint you can think of it as pen-testing done economically right: how much do you really value your data??

by esafak

5/12/2026 at 7:11:26 PM

NGL that's pretty much what it is.

On the one side you have white hat hackers and pen-testers who you pay a contract or salary to prod your system. If you really piss them off (i.e. by stiffing them of their pay) some might just steal your data and threaten to leak it unless you pay them.

On the other side are black hat hackers who will drive by your system and if they find a way to break in they'll offer to keep your data private for a ransom fee. And maybe if you have some charisma, decent pay, and/or a good repertoire you might recruit them on/convert them into white hats for your org.

by OneDeuxTriSeiGo

5/12/2026 at 5:29:12 PM

Simple economic motivations from the hackers. They've hacked a lot of different companies. [1] If they didn't keep their word then companies would have no incentive to pay, and vice versa when they do keep their word.

[1] - https://en.wikipedia.org/wiki/ShinyHunters

by somenameforme

5/12/2026 at 7:58:29 PM

It might make more sense for Shinyhunters to request a reoccuring charge to smooth out their revenue stream. Basically protection money as it was called in the good old days.

This is of course assuming that Instructure continues to be relevant, and that students still believe that college education holds economic or social value.

by enceladus06

5/12/2026 at 10:56:28 PM

I think Instructure has made themselves a target. I'm a professor at a college that uses Canvas and I'm going to be making sure I download the gradebook for my classes more often from now on.

by jccalhoun

5/12/2026 at 9:46:53 PM

What data held by Instructure is so critical it warrants a ransom payment?

by vachina

5/13/2026 at 12:29:22 AM

Tons of stuff, usernames, first name, last name, email addresses. - Most of this stuff isn't "private" per se, but its also not publicly index-able for a reason.

Conversations between students, conversations between teachers and other students/staff or teachers. Course content, etc.

by HDBaseT

5/12/2026 at 5:59:52 PM

Michael Jackson paid the ransom and look what happened to him.

by xvxvx

5/12/2026 at 5:28:58 PM

It would be amusing to discover it turned out that the hackers were 14 year old teenagers, bored with school.

by doublerabbit

5/12/2026 at 6:00:43 PM

The defendant, who calls himself “zero cool”, has repeatedly committed criminal acts of a malicious nature.

by cheschire

5/12/2026 at 6:16:22 PM

[flagged]

by archpulse

5/12/2026 at 5:22:01 PM

[flagged]

by wingdingst