Maker of Canvas Learning Platform Strikes Deal for Hackers to Return Data; The New York Times, May 12, 2026

Qasim Nauman, The New York Times; Maker of Canvas Learning Platform Strikes Deal for Hackers to Return Data

[Kip Currier: How confident are you that the stolen data and personal information from more than 275 million students and teachers at more than 9,000 colleges and universities around the world has been returned and that copies of that data have been destroyed?]

"The maker of Canvas, the software used by thousands of schools and universities around the world, said on Monday that it had reached a deal with the hackers that recently breached its systems for the return of stolen data and the destruction of any copies.

ShinyHunters, a hacking group, had claimed responsibility for the attack on Instructure, the Salt Lake City-based company that provides Canvas to about half of all colleges and universities in North America.

The hackers said they had accessed the data of more than 275 million users at nearly 9,000 schools worldwide, including private conversations between students and teachers as well as personal identifying information such as names and email addresses. Canvas was shut down for hours after the cyberattack on Thursday.

The agreement, Instructure said in a statement, involved the return of the stolen data and confirmation that the data had been destroyed at the hackers’ end. Instructure added that it had been informed that none of its customers would face extortion as a result of the theft."

FBI Arrests Hacker Who Hacked No One; Daily Beast, March 31, 2017

Kevin Poulsen, Daily Beast; FBI Arrests Hacker Who Hacked No One

"Now free on bond, Huddleston, 26, is scheduled to appear in a federal courtroom in Alexandria, Virginia on Friday for arraignment on federal charges of conspiracy and aiding and abetting computer intrusions.

Huddleston, though, isn’t a hacker. He’s the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers. NanoCore has been linked to intrusions in at least 10 countries, including an attack on Middle Eastern energy firms in 2015, and a massive phishing campaign last August in which the perpetrators posed as major oil and gas company. As Huddleston sees it, he’s a victim himself—hackers have been pirating his program for years and using it to commit crimes. But to the Justice Department, Huddleston is an accomplice to a spree of felonies.

Depending on whose view prevails, Huddleston could face prison time and lose his home, in a case that raises a novel question: when is a programmer criminally responsible for the actions of his users?"