How much money are they asking for?
ShinyHunters' ransom demand from Instructure has not been publicly disclosed — the company confirmed it paid but has not revealed the amount.
Why it matters: Instructure's decision to pay sets a precedent that education vendors will settle, which encourages future attacks on similar platforms.
- Instructure confirmed on May 11 it reached a settlement with ShinyHunters — one day before the May 12 deadline — but released no dollar figure.
- ShinyHunters separately demanded $1 million from the University of Pennsylvania for its own data, per The Daily Pennsylvanian — suggesting the group was extracting payments from individual institutions as well.
- ShinyHunters received an unspecified sum in exchange for a promise to delete the 3.65 TB trove; security experts note such promises are unverifiable.
- Instructure has not confirmed the payment amount, and some security analysts argue the company should not have paid at all — paying a criminal group with no ability to verify data deletion may only validate the attack model without actually protecting students.
