You’re probably breathing a sigh of relief if you’re a student, teacher, or parent who relies on Canvas. After weeks of chaos, Instructure—the company behind the platform—claims it reached an "agreement" with the hackers who stole 3.65 terabytes of data. They’ve even got "shred logs" to prove the data was deleted. But let's be real: trusting a cybercrime group like ShinyHunters to delete stolen data is like trusting a shark to guard a tuna sandwich.
The deal supposedly stops the leak of information from 275 million users across nearly 9,000 schools. While the company is spinning this as a win for "peace of mind," the reality is far messier. If you’re a student at Arizona State or a teacher in Australia, your digital life just became a lot more complicated, regardless of any secret handshake between Instructure and a group of extortionists.
The ShinyHunters Heist and the Free Account Loophole
This wasn't some sophisticated, movie-style hack involving complex codes and mission-impossible stunts. It started with a vulnerability in "Free-For-Teacher" accounts. Hackers found a way in through an issue related to support tickets, which allowed them to siphon off a staggering amount of data.
What exactly did they take? We’re talking about:
- Student ID numbers and full names.
- Email addresses for millions of users.
- Enrolment details and course names.
- Private messages sent between students and teachers.
The sheer volume of private messages is the most alarming part. These aren't just dry data points; they're personal conversations. While Instructure claims passwords and financial info weren't touched, the stolen data is a goldmine for anyone wanting to craft a perfect phishing email. Imagine getting a message that looks exactly like it’s from your professor, referencing a specific conversation you had in Canvas, asking you to "re-verify" your login on a fake page. That’s the real threat now.
Why Shred Logs Are Basically Meaningless
Instructure says they received "digital confirmation" that the data was destroyed. In the world of ransomware, this usually means "shred logs"—automated reports that say files were deleted. It sounds official, but it’s essentially a receipt from a thief.
In cybersecurity circles, we know there's no way to verify if a copy of that 3.65TB folder isn't sitting on a backup server in a country that doesn't care about US law. Organizations like the FBI generally advise against paying ransoms because it funds the next attack and offers zero guarantees. By making a deal, Instructure might have bought some temporary silence, but they haven't actually deleted the risk.
Other companies have tried this and failed miserably. In 2024, PowerSchool paid a ransom to ensure data deletion, only for the hackers to turn around and extort individual school districts anyway. There's no honor among thieves, and thinking ShinyHunters will be the exception is a dangerous gamble.
The Chaos of Finals Week
The timing couldn't have been worse. The attack ramped up in early May 2026, right as universities were hitting final exams. When Instructure took the system offline to contain the breach, they locked out millions of people at the worst possible moment.
At Sacramento State and Arizona State University, students trying to log in were met with a defaced landing page. Instead of their dashboard, they saw a ransom note from ShinyHunters. It wasn't just a technical glitch; it was a psychological hit to students already under high stress. Instructure CEO Steve Daly eventually apologized for the "lack of transparency," but for students who couldn't submit their final papers on time, "I'm sorry" feels a bit light.
What You Need to Do Right Now
If you're one of the 275 million people potentially involved, don't wait for a notification that may never come. You need to assume your email and student ID are out there.
1. Change Your Password Now
Even though Instructure says passwords weren't compromised, it’s the first thing you should do. If you use that same password for your bank or your personal email, change those too. Use a password manager so you don't end up using "Password123" for everything.
2. Audit Your Messages
Think about what you’ve sent through the Canvas inbox. Did you ever send a photo of an ID? Did you mention personal health issues or sensitive family info to a teacher? If you did, you're at higher risk for targeted scams.
3. Treat Every Email as Suspect
Expect an influx of highly specific phishing attempts. These won't look like the "Nigerian Prince" scams of the 2000s. They'll look like official Canvas notifications or school administration emails.
4. Enable MFA Everywhere
If you don't have multi-factor authentication (MFA) turned on for your school account and your personal email, do it today. It's the single best way to stop a hacker even if they have your password.
Schools also have a role to play here. Districts need to stop treating EdTech vendors like untouchable utilities. If you're a school administrator, you should be demanding a full forensic audit from Instructure before you renew any contracts. The fact that a "Free-For-Teacher" account could compromise the data of 275 million people suggests the walls between different parts of the platform were way too thin.
The "agreement" with ShinyHunters is a band-aid on a gunshot wound. It might stop the immediate bleeding—the public leak—but the infection of stolen data is already in the system. Stay cynical, stay alert, and don't trust a shred log to protect your privacy.
