Late on Monday 11 May 2026, Instructure — the company behind Canvas LMS — issued an apology and announced it had reached a settlement with ShinyHunters, the criminal extortion group that breached Canvas twice in two weeks. The company said it received "digital confirmation of data destruction (shred logs)" and assurance that no Instructure customers would be extorted as a result of the incident.
The story is over. Time to move on.
Except — it's not. And we'd like to explain why.
For the 275 million students, teachers, and staff at 8,800+ institutions whose data was taken, the deal that Instructure made changes very little. The cybersecurity industry's response to the announcement has ranged from quietly sceptical to openly disbelieving — and there are good, evidence-based reasons for that scepticism.
This article walks through what actually happened, what the agreement does and doesn't change, and what you should do now. We'll keep it analytical and grounded — no fearmongering — but we won't pretend the data is gone just because a payment was made.
What Instructure actually agreed to
Here's what the public statement says:
- An agreement was reached with ShinyHunters for an undisclosed amount
- "Digital confirmation of data destruction" was received in the form of "shred logs"
- The agreement "covers all impacted Instructure customers"
- Individual customers have "no need" to engage with ShinyHunters directly
What the statement doesn't say:
- That the data was independently verified as destroyed
- That copies could not have been retained by ShinyHunters or shared with affiliates before the deal
- That the data wasn't accessed by anyone else during the exposure window
- That follow-on phishing campaigns can be prevented
That last point matters most. Even in the best-case scenario where ShinyHunters honours the agreement completely, the data was already viewed, sampled, and in some cases shared with third parties before the deal was struck.
Why experts don't trust "shred logs"
This is the part most coverage glosses over. A "shred log" is, at best, a screenshot or file listing claiming the data has been deleted. It is not — and cannot be — proof.
There are three structural reasons cybersecurity professionals don't accept ransom-payment data destruction at face value:
1. Criminal groups have no incentive to actually destroy data. The data has ongoing value — for resale, for future extortion, for use in unrelated campaigns. Destroying it permanently removes that value. Honouring an agreement to destroy it is a business decision, not a compliance obligation.
2. ShinyHunters has a documented history of breaking agreements. The group has been linked to breaches at Ticketmaster, Google, the University of Pennsylvania, Princeton, and Harvard, among many others. Their operational model is described by threat intelligence firm Halcyon as "pay or leak" — with the explicit caveat that payment provides no guarantee of either non-publication or destruction.
3. The data was demonstrably shared before the agreement. TechCrunch reviewed sample records that ShinyHunters provided to verify the breach. Those samples existed outside of Instructure's reach. There is no mechanism — technical, legal, or operational — by which Instructure could ensure every copy that ever existed was returned and destroyed.
The Register, which covered the deal extensively, put it this way: "There is no honour among thieves."
What Halcyon and Bitdefender are telling clients
The two threat intelligence firms tracking this incident most closely have both issued the same guidance to enterprise clients in the wake of the deal: assume compromise.
From Halcyon's analysis: "All 8,800+ affected institutions should treat themselves as compromised. The exfiltrated data provides threat actors enough personal context to conduct targeted phishing campaigns against staff, students, and parents alike. Leaked records can be used to impersonate school administrators, IT support, or financial aid offices in follow-on attacks."
From Bitdefender's technical advisory: "Even after credential rotation and Free-For-Teacher program shutdown, the stolen data remains usable. Phishing campaigns may emerge weeks or months after the breach."
Translation: the deal addresses the publication risk. It does not address the operational risk that flows from the data existing in the wild.
The risk that didn't go away
Here's the threat model for the next 12 to 24 months, with or without a payment:
Targeted phishing using verified personal context. Attackers now have your full name, email address, institution, student or staff ID number, and in many cases the content of private messages you exchanged on Canvas. A phishing email referencing your actual course code, your actual lecturer, or a real conversation you had is significantly harder to detect than a generic one. This is the immediate and highest-probability risk.
Credential stuffing across other services. Passwords were not confirmed as stolen, which is genuinely good news. But your verified email address — confirmed to be associated with a real, current account — is highly valuable on its own. Attackers will use it to try logging into other services with common passwords or with credentials from other breaches.
Identity-adjacent attacks. Student ID numbers are quasi-identifiers. They can be used to "verify" the identity of an attacker pretending to be from your university's IT department or financial aid office.
Long-tail dark web circulation. Even if the master copy of the dataset was destroyed, fragments that were sampled, screenshot, or shared during the negotiation phase may surface in private dark web channels for months or years to come. This is where ongoing intelligence monitoring earns its place.
What you should actually do
Whether or not you trust that ShinyHunters destroyed the data, the actions worth taking are largely the same. Here's a practical checklist.
This week:
- Change your Canvas password and any password you've reused on other services
- Enable multi-factor authentication on email, banking, social media, and any account that supports it
- Be highly suspicious of any email referencing your studies, fees, enrolment, or Canvas — especially if it asks you to click a link or verify details
- Don't share your student ID number with anyone who contacts you unsolicited
- If you receive a phone call claiming to be from your university about the breach, hang up and call the university directly on a number you find independently
This month:
- Check whether your email address appears in known breach databases
- Review what publicly available information about you could be combined with the breach data to enable targeted attacks
- Set up monitoring for any new appearances of your data in dark web sources
Ongoing:
- Treat any communication referencing your Canvas data with elevated suspicion for the next 12-24 months
- Stay informed about follow-on incidents — ShinyHunters and related groups frequently target institutions that have been previously compromised, knowing the data is already mapped
Get a free intelligence report — see what's actually out there
At SelfCybr, we specialise in dark web intelligence and open-source intelligence (OSINT). In the wake of the Canvas breach and the Instructure settlement, we're offering a free Dark Web and OSINT Intelligence Report to anyone who may have been affected.
Your free report includes:
- A check for your email address across known dark web data dumps and breach databases
- Identification of any other historical breach exposures linked to your email
- An OSINT review of publicly accessible personal information that attackers could combine with the Canvas breach data
- A plain-language summary of your current exposure level
- Specific, prioritised recommendations based on what we find
The report is compiled by our intelligence team and delivered to your inbox. It's not an automated breach checker — it's a real analyst-reviewed report you can act on.
How to get your free report
It takes less than two minutes.
Your information is handled in accordance with the Australian Privacy Act 1988. We will never sell or share your personal data. See our Privacy Policy for full details.
After your report — ongoing protection
Once you've received your report, you'll have a clear picture of your current exposure. For most people, that's a starting point — not an end point.
The threat from the Canvas breach isn't ending today. The data exists. It was sampled, copied, and reviewed by parties outside Instructure's control. Phishing campaigns built off this dataset will run for years.
SelfCybr Proactive Monitoring provides continuous dark web surveillance — alerting you in real time whenever your information surfaces in underground forums, new breach data, or OSINT sources. It's the difference between finding out about an exposure when something has already gone wrong, and finding out the moment your data appears.
For anyone affected by the Canvas LMS breach, we're offering 20% off Proactive Monitoring with code CANVAS20.
The bottom line
Instructure paid the ransom. That's a fact. Whether the data was actually destroyed is something none of us — Instructure included — can independently verify.
The reasonable position is to act as though the data is in the wild, because for practical purposes it is. The samples have been seen. The threat model hasn't changed. The phishing campaigns that will be built off this data are coming regardless.
The good news is that the actions you can take are clear, achievable, and free to start with. Get your report. Update your password. Turn on MFA. Be suspicious of unsolicited contact. And consider whether ongoing monitoring is worth the peace of mind.
We'll continue to track this incident and post updates as the situation develops.
