Instructure paie une rançon massive aux pirates ShinyHunters
Read, Watch or Listen
United States-based Instructure, the developer of the widely used Canvas learning management system, has confirmed it paid a ransom to the cyber-extortion group ShinyHunters after a massive breach affecting education institutions worldwide. The company said it transferred the payment one day before a final deadline of May 12, 2026, following the theft of 3.6 terabytes of data linked to roughly 275 million users at more than 8,800 institutions, including major U.S. universities and K-12 school districts. Stolen information included student and staff names, email addresses, ID numbers and billions of private messages exchanged on the platform. The attackers escalated the incident on May 8 by defacing login portals at about 330 institutions, blocking access for students and faculty during critical final examination periods. United States investigators found that the hackers exploited a vulnerability in Canvas’s “Free-For-Teacher” account feature to bypass security boundaries and reach institutional data, prompting Instructure to disable that feature and deploy additional security patches. Chief executive Steve Daly said the company received digital confirmation of data destruction in the form of “shred logs” and assurances from ShinyHunters that it would not further extort Instructure’s customers, although the firm did not disclose the size of the ransom. The Federal Bureau of Investigation generally advises against paying ransoms, but Instructure said it proceeded with the settlement because of the immediate risks to student privacy and the disruption to academic operations during exams.
Prepared by Emily Rhodes and reviewed by editorial team.
Timeline of Events
- Début 2026 Des pirates exploitent la vulnérabilité Free-For-Teacher
- Début 2026 Des attaquants accèdent aux données institutionnelles de Canvas
- 8 mai 2026 Portails de connexion dégradés dans 330 institutions
- 8 mai 2026 Étudiants et professeurs bloqués pendant les examens
- 11 mai 2026 Instructure paie la demande de rançon de ShinyHunters
- 11 mai 2026 L'entreprise reçoit des confirmations de journal de destruction numérique
- 12 mai 2026 Date limite pour le paiement final de la rançon fixée
- Mi-mai 2026 Instructure applique des correctifs, désactive la fonctionnalité
Why This Matters to You
Vos données pourraient être compromises si vous faites partie des 275 millions d'utilisateurs concernés. Vérifiez si votre établissement utilise Canvas et changez immédiatement votre mot de passe. Méfiez-vous des e-mails suspects qui pourraient être des tentatives de hameçonnage.
The Bottom Line
Cette violation montre à quel point la cybersécurité est vitale à notre époque numérique, en particulier dans le domaine de l'éducation. La décision d'Instructure de payer la rançon, bien que controversée, visait à protéger la vie privée des étudiants et les opérations académiques. À transmettre si vous connaissez quelqu'un dans le secteur de l'éducation.
- Articles Published:
- 1
- Right Leaning:
- 0
- Left Leaning:
- 0
- Neutral:
- 1
- Distribution:
- Left 0%, Center 100%, Right 0%
Non spécifié dans la source.
Non spécifié dans la source.
Coverage of Story:
From Left
No left-leaning sources found for this story.
From Right
No right-leaning sources found for this story.
Comments