The company behind the popular Canvas software, which was hacked last week causing major disruption at thousands of universities and colleges, has paid the hackers not to publish stolen data online.

The cyber-attack affected an estimated 9,000 institutions in the US, Canada, Australia and the UK, with exams disrupted after the Canvas service went down.

The hackers threatened to publish 3.5 terabytes of student and university data they had stolen in the breach.

Instructure, the maker of Canvas, has now confirmed it has "reached an agreement" with the hackers, who have said they deleted the data and promised not to extort any students or institutions.

Paying cyber criminals goes against the advice of law enforcement agencies around the world, as it can fuel further attacks and offers no guarantee the data has been deleted.

In previous cases, criminals have accepted ransom payments but lied about destroying stolen data, instead keeping it for resale.

For example, when the notorious LockBit ransomware group was hacked by the National Crime Agency, police found stolen data had not been deleted even after payments had been made.

Instructure said in a statement on its website that protecting students' and education staff data was its primary motivation.

"While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said.

Instructure did not set out the terms of the agreement but said that it meant that:

That openness may be partly because the attack was highly visible and affected students directly.

Students sitting exams in the US were particularly badly affected, losing access to Canvas for revision and, in some cases, having online exams interrupted.

Aubrey Palmer, a meteorology student at Mississippi State University, told the BBC that they and other students had just finished writing a 2,900-word exam essay when a ransom message suddenly appeared on their screens.

It threatened to release stolen data unless a ransom was paid in bitcoin by Canvas or affected universities.

"My knee-jerk reaction was that I'd been hacked myself, because that's what it looked like," Aubrey said.

"But then I actually read the ransom note and saw it was Canvas that had been hacked."

Aubrey added dozens of students received the same message, and there was confusion in the exam room about whether their work had been saved.

Mississippi State University later announced some exams would be postponed to allow students to recover any lost work.

Shiny Hunters is known for hacking organisations, stealing data and then publicly pressuring victims to pay ransoms in bitcoin.

The group has been linked to other breaches, including attacks on Jaguar Land Rover and Gucci. The criminals are English-speaking and believed to be young.

In Telegram messages exchanged with the BBC, Shiny Hunters said it had hacked Canvas twice before last Thursday's attack.

Instructure disclosed a breach in September 2025 in a post on its blog.

Shiny Hunters has also claimed it breached the company again in April 2026, ahead of the 29 April attack.

When asked how it felt about the stress and disruption caused to students like Aubrey Palmer, the group said: "We have no comment on that."

It would not say how much it had been paid by Instructure. (BBC)