The High Cost of Submission: Why Canvas Paying Off Hackers is a Massive Mistake

By Nathan Mumm | May 12, 2026 | Comments Off on The High Cost of Submission: Why Canvas Paying Off Hackers is a Massive Mistake

If you woke up this morning and checked your social media feed, you probably saw a wave of panic from students, teachers, and graphic designers alike. There’s been a massive data breach involving "Canvas," and the headlines are enough to make anyone’s stomach drop. But before we get into the meat of the disaster, let’s clear the air on one very important point that has caused a weekend’s worth of unnecessary stress: your Canva account, the one you use to make birthday invitations and Instagram stories, is perfectly fine.

The victim here isn’t the Australian graphic design darling; it’s Instructure, the company behind the Canvas Learning Management System (LMS). While the names are nearly identical, the stakes couldn't be more different. We’re talking about the digital backbone of nearly 9,000 schools and universities worldwide. And unfortunately, as we often see here at TechTime Radio, the response from the corporate suites has been, well… let's just say it makes us go "Humm."

The Heist: 275 Million Reasons to Panic

The threat actors behind this hit are a group known as ShinyHunters. If that name sounds familiar, it’s because they’ve been a thorn in the side of big tech for years, previously claiming scalps from companies like Microsoft, AT&T, and Ticketmaster. This time, they claimed to have made off with a database containing the personal information of 275 million users.

What kind of data? The usual suspects: full names, email addresses, phone numbers, and professional identities. For a student or a teacher, that’s more than enough for a dedicated scammer to ruin a semester. ShinyHunters put a clock on the wall, demanding a ransom payment by May 12th: today: or the data would be dumped for the highest bidder on the dark web.

Instead of standing their ground, Instructure confirmed they reached an "agreement" with the hackers. In the world of cybersecurity PR, "agreement" is a polite euphemism for "we paid the ransom."

Close-up of hands clasped on a desk in a dark room representing a corporate ransom payment decision.

Nathan’s Perspective: Feeding the Sharks

Let’s call this what it is: a massive mistake. Nathan Mumm has said it on the air a thousand times, and he’s saying it again now. Paying a ransom doesn't solve the problem; it just validates the business model of the criminals.

When a company like Instructure writes a check to a group like ShinyHunters, they aren't buying security. They are buying a pinky promise from a group of professional thieves. Think about it: why would a hacker delete the data? They’ve already proven they have no ethics. They can take the money, tell the company the data is "destroyed," and then turn around and sell it to three other groups six months from now.

By paying out, Instructure has effectively placed a neon "Open for Business" sign on every other educational tech provider in the industry. The message is clear: if you hit a school system hard enough, the parent company will fold. It’s a dangerous crossroads for the tech industry, and Instructure just took the wrong turn.

The Illusion of "Case Closed"

Instructure’s official line suggests that by reaching this agreement, the threat to their users has been neutralized. Skeptical? You should be. Here at TechTime, we look at the long game.

Once data is exfiltrated, the "genie" is out of the bottle. Even if ShinyHunters honors the deal (a big "if"), there’s no way to verify that a rogue member of their group didn't keep a copy, or that the data wasn't indexed by another sniffing tool during the transfer. Paying the ransom provides a false sense of security that might actually prevent users from taking the necessary steps to protect themselves, like changing passwords or freezing credit.

If you’re a user of the Canvas LMS, don't wait for a "clear" signal from the corporate office. Head over to our Privacy Policy page to see how we handle data, and then go change your own credentials. Assume your data is out there, because in 2026, it usually is.

The Canva vs. Canvas Confusion

We have to talk about the branding nightmare here. For years, people have confused these two companies, but this week took it to a new level. While Instructure was busy negotiating with digital pirates, Canva (the design tool) was likely fielding thousands of support tickets from panicked users.

This is the hidden cost of a breach. It’s not just the ransom; it’s the brand erosion. Instructure’s decision to pay doesn't just hurt their own reputation as a "secure" educational platform; it muddies the waters for everyone with a similar name. It’s a messy situation that highlights why we always dig deeper into the stories behind the headlines.

A weathered concrete barrier standing firm against a stormy sky, symbolizing cybersecurity resilience.

Standing Firm or Folding Fast?

We are at a point in the digital age where every company needs to decide who they want to be. Do you want to be the company that invests in impenetrable infrastructure and stands firm against extortion, or do you want to be the company that treats ransoms as a "cost of doing business"?

The "TechTime" vibe is one of skepticism for a reason. We see these cycles repeat. A company gets hit, they pay, they promise it won't happen again, and then they get hit by a "copycat" three months later. If we want the hacking to stop, we have to stop making it profitable.

If you have questions about how this affects your school or your kids' data, feel free to Ask Us a Question. We love diving into these topics and cutting through the PR fluff.

Oh hi there 👋 It’s nice to meet you.

Sign up to receive Awesome Technology Content in your inbox, every month, or every other month, depending on our task list.

We don’t spam! Read our privacy policy for more info.

0
Posted in Ask the Expert