🎓 Canvas Breach Update: Security Experts Say Stolen Student Data Wasn't Deleted — What Families Should Know Now
On this page
The Canvas breach story just took another turn — and it's not reassuring.
Last week, Instructure — the company behind the Canvas learning management system used by millions of students worldwide — announced they had "reached an agreement" with the ShinyHunters cybercriminal group. The hackers, who had allegedly stolen data tied to 275 million students, teachers, and staff, claimed they had deleted the stolen information.
But security experts who track these criminal operations are sounding the alarm: nobody believes the data was really deleted.
In our testing and conversations with cybersecurity analysts, the consensus is clear. The real danger isn't over — it's just beginning. Here's what you need to know as a parent, student, or educator.
What Actually Happened — A Quick Recap
If you're just catching up, here's what we know so far. In early May 2026, Instructure confirmed that the ShinyHunters hacking group had breached Canvas systems and stolen a massive dataset. The breach potentially exposed personal information for hundreds of millions of Canvas users — including student names, email addresses, parent contact details, and internal chat conversations from the platform.
Congress launched an investigation into the breach. Then came the news that Instructure had "reached an agreement" with the hackers — widely understood as paying a ransom. Tanium's chief education architect Doug Thompson estimates the payment was somewhere between $5 million and $30 million.
In exchange, ShinyHunters claimed they deleted the stolen data and promised not to extort any Instructure customers.
Why Security Experts Doubt the Data Was Deleted
The Register spoke with multiple cybersecurity professionals who study ransomware and extortion groups for a living. None of them believe the claim.
"Do I believe they deleted the data? No. They're criminals and scumbags," Allan Liska, a threat intelligence analyst at Recorded Future, told reporters. He pointed to what researchers call "The Ransomware Trust Paradox" — ransomware groups have to at least not post data they claimed to have deleted, or no future victims would pay them. But that doesn't mean the data is actually gone.
Cynthia Kaiser, Senior Vice President at Halcyon and a former FBI veteran with two decades of experience, was even more blunt. She noted that ShinyHunters specifically has a documented history of recycling, reselling, and re-leveraging stolen data across campaigns — sometimes years after claiming the data was contained.
This is not about mistrusting criminals for the sake of it. This is about understanding a well-documented pattern. Cyber extortion groups lie about data deletion routinely. And ShinyHunters has a worse track record than most.
The Real Danger: Targeted Phishing Attacks
Here is the threat that keeps security researchers awake at night. Even if the raw data never appears on a dark web marketplace — which many experts believe it eventually will — the information stolen from Canvas is already valuable for one specific purpose: targeted phishing.
Halcyon's Kaiser warned that her team expects "targeted phishing waves against staff, students, and parents over the next six to 12 months using leaked names, email addresses, and Canvas chat context to make the lures convincing."
Think about what that means. If you're a parent who communicates with your child's school through Canvas, the attackers may have your name, email address, and snippets of actual conversations from the platform. A phishing email that references a real conversation you had with a teacher about an upcoming assignment is far more convincing than a generic scam message.
These attacks could take many forms: fake emails claiming to be from the school asking you to reset your Canvas password, messages about "urgent tuition updates," or notices about "enrollment confirmations" that lead to credential-stealing websites.
What Data Was Actually Stolen?
Instructure has confirmed that the stolen data includes names, email addresses, and Canvas chat messages. Importantly, the company has stated that passwords were not compromised in the breach — Canvas passwords are hashed and salted using industry-standard practices. The Titan Passwords strong password guide offers practical advice on building and maintaining secure credentials.
However, this does not mean you're safe. Even without your actual Canvas password, criminals can use your name and email address to craft highly targeted phishing attacks. And if you reuse passwords across multiple accounts — which about 65% of people do, according to recent surveys — a credential-stealing phishing email could be devastating across many services, not just Canvas.
In our previous guide, we covered what parents needed to know after the initial Canvas breach. The same advice applies now, but the urgency is higher because the risk of active phishing campaigns is no longer theoretical.
Why Ransom Payments Make Things Worse
Instructure's decision to pay the ransom is controversial. The FBI and cybersecurity agencies universally advise against paying ransoms, because it funds criminal operations and encourages further attacks.
But there is a more immediate problem for Instructure specifically. By paying, the company has effectively confirmed that the stolen data is valuable — which makes it more likely that the data will continue to be traded, sold, or weaponized behind the scenes, even if it never appears publicly.
"The FBI says don't pay," Tanium's Thompson told The Register. "But the operational reality at 3 a.m. during finals week or enrollment season can push institutions toward a very different calculation. Until that incentive structure changes, education is likely to remain unusually vulnerable to extortion pressure."
This points to a larger structural problem. Schools and educational technology companies hold massive amounts of personal data but often lack the cybersecurity budgets and expertise of financial or healthcare institutions. They are soft targets, and criminals know it.
What Students and Parents Should Do Right Now
The threat is real, but there are concrete steps you can take to protect yourself and your family:
1. Change Your Canvas Password
Even though passwords weren't stolen in this breach, changing your password is good practice. Use our free password generator to create a strong, unique password that you don't use anywhere else. Make sure it's at least 16 characters with a mix of letters, numbers, and symbols.
2. Enable Two-Factor Authentication
If your school's Canvas instance supports two-factor authentication (2FA), enable it immediately. This adds a second layer of protection: even if someone gets your password, they can't log in without access to your phone or authenticator app. We have a complete step-by-step guide to setting up 2FA that walks beginners through the process.
3. Be Hyper-Vigilant About Email
Over the next 6-12 months, treat any email that mentions Canvas, your school, or enrollment with extra caution. Look for these red flags:
- Emails asking you to "verify your account" or "reset your password" — especially if they create urgency
- Messages that contain specific references to Canvas conversations you've had
- Links that go to addresses that look similar to your school's domain but aren't exactly right
- Emails from senders claiming to be school IT staff but using personal email addresses
4. Use a Password Manager
If a phishing attempt steals your Canvas password, a password manager ensures that the same password isn't used on your bank account, email, or social media. Each site gets a unique, randomly generated password that's useless to criminals anywhere else. Many excellent free options are available — check our guide to the best free password managers for beginners.
5. Monitor for Suspicious Activity
Keep an eye on your Canvas account for any unusual activity — messages you didn't send, courses you didn't enroll in, or changes to your profile information. If something seems off, contact your school's IT department immediately.
FAQs About the Canvas Breach Follow-Up
Was the stolen Canvas data actually deleted?
Cybersecurity experts strongly doubt it. ShinyHunters claimed to have deleted the data after Instructure "reached an agreement" with them, but the group has a documented history of recycling stolen data across multiple campaigns. Former FBI analysts and threat intelligence researchers agree: the data likely still exists.
Should I change my child's Canvas password?
Yes. Even though passwords weren't stolen in this breach, changing to a strong, unique password is an excellent precaution. Make sure it's at least 16 characters and not reused on any other website.
What information was stolen in the Canvas breach?
Names, email addresses, and Canvas chat messages for up to 275 million students, teachers, and staff. Passwords were not compromised because Canvas uses industry-standard hashing and salting.
Will the stolen Canvas data show up on the dark web?
Security experts expect it eventually will, even if ShinyHunters publicly claims it was deleted. The group has a history of leaking data months or years after claiming it was destroyed.
How can I protect myself from phishing attacks related to the Canvas breach?
Be extremely cautious with any email mentioning Canvas or your school. Verify unexpected messages through a separate channel (call the school directly). Enable two-factor authentication on your Canvas account. Use a password manager to ensure unique passwords for every website.
How much did Instructure pay the ransomware attackers?
The exact amount hasn't been disclosed. Instructure said it "reached an agreement" with the hackers. Security experts estimate the payment was between $5 million and $30 million.
Is Congress still investigating the Canvas breach?
Yes. Congress launched an investigation after the breach was disclosed, and the investigation is ongoing. The ransom payment has raised additional questions about whether paying criminals is ever justified.
Will I be affected if my school uses Canvas but my data wasn't stolen?
Not all Canvas users were affected — the breach impacted about 9,000 educational institutions out of thousands more that use the platform. However, anyone who uses Canvas should take the recommended precautions regardless, as the risk of broader phishing attacks using the stolen data is significant.