Well, that didn't last long! Recording this on Saturday morning my time, I observed ShinyHunters having gone quiet since the massive haul that would have been the Instructure ransom. It was two weeks almost to the hour since I'd first heard rumour of payment being made, and I posited that groups like this often go quiet after they feel the heat, only to emerge shortly after, the drug that is hacking being too strong to ignore. Anyway, here we now are:

🚨🇺🇸 ShinyHunters Claims 3 New Victims

🇺🇸 https://t.co/v8Wf457Gbp: U.S.-based dental benefits administrator and oral health company.

🇺🇸 Charter Communications, Inc.: U.S. telecommunications and cable company best known for Spectrum internet, TV, mobile, and phone services.

🇺🇸… pic.twitter.com/epWcVVGRHa

— Dark Web Informer (@DarkWebInformer) May 22, 2026

DentaQuest has since been removed, but their website is currently returning "Access Denied", which isn't a great look. Obviously, the broken website doesn't look great, but neither do the optics of potentially having paid a ransom. But that does seem to be the way that many of these incidents are going now 🤷‍♂️

It's a hot topic, the old "pay or don't pay" for hackers not to leak your data. Since recording this a few days ago, we've had Grafana go with the "no pay" approach, and I've seen a raft of commentary around other companies reaching "agreements", which is a much politer way of saying "we paid extortionists a ransom". I'm concerned about the normalisation of ransom payments, and using language that deflects from the criminal nature of it is a big part of that. Instructure's exact words were that they "reached an agreement with the unauthorised actor involved", which really waters down the severity of the whole thing. It looks like, for the time being, "pay or leak" is the new norm... along with nonsensical statements like "the data was returned to us" 🤷‍♂️