Instructure, the company behind Canvas LMS, reached a settlement with hacking group ShinyHunters on May 11, 2026 — hours before a May 12 deadline. The company paid an undisclosed amount and says it received shred logs as proof that 3.65 terabytes of stolen data was destroyed. Exposed data included names, email addresses, student IDs, and private messages from more than 8,800 institutions. Passwords and financial data were not involved. Here's what the resolution actually means for students.

The ransom is paid. The deal is done. But whether your data is truly gone is a different question.

On the evening of May 11, 2026, Instructure published a statement confirming it had reached an agreement with ShinyHunters — the cybercriminal group that breached Canvas in late April — for an undisclosed sum. According to Instructure, the hackers returned the compromised data and provided "shred logs" as verification it was destroyed. The company says "no Instructure customers will be extorted as a result of this incident."1

If you were waiting to see how this ended, the short answer is: better than it could have been. The longer answer is more complicated.

What "Shred Logs" Actually Tell You

A shred log is a file that records when and how data was deleted from a storage system. When Instructure says it received proof of deletion, it means the hackers generated a log showing files were wiped on systems they controlled.

The limitation is obvious: shred logs confirm deletion on one device, at one point in time. They do not confirm that copies weren't made and stored elsewhere before deletion. There is no independent auditor. There is no third-party verification.

Paying a ransom and receiving shred logs does not guarantee stolen data has been permanently erased. Security researchers note that criminal groups cannot provide enforceable guarantees. Keep monitoring your accounts and email address regardless of this settlement.

That said, ShinyHunters has an established pattern: when they settle, the data typically does not resurface publicly. That is not a guarantee. It is a pattern.

What Data Was Exposed

Instructure confirmed the breach affected names, email addresses, student ID numbers, and private messages exchanged through Canvas — including conversations between students and instructors. The Duke Chronicle reported the breach specifically impacted Duke University, among thousands of other institutions.2

8,800+

What was confirmed not involved: passwords, birth dates, government IDs, and financial data. Students do not need to freeze credit cards or change banking information based on what was exposed in this breach.

The Risk That Stays: Targeted Phishing

Even with a ransom paid and data purportedly destroyed, the breach has a long tail — because the information that was exposed is exactly what attackers need to make fake emails convincing.

Your name, email address, and school affiliation are enough for someone to write a message that looks like it came from your registrar, your financial aid office, or Canvas itself. That risk does not expire when a deal is signed.

Watch for emails asking you to verify your Canvas account, re-enter login credentials, or confirm financial aid details. Real institutions send official communications through student email portals — not links in unexpected messages. When in doubt, go directly to your school's official website rather than clicking any link.

For more on protecting yourself at school, our guide on college safety tips for freshmen covers digital and physical safety basics.

What to Do This Week

If you haven't taken the steps covered in our Canvas breach guide from May 8, do them now:

  • Change your Canvas password — even though passwords weren't exposed, it is good practice after an incident of this scale
  • Enable multi-factor authentication on your student email if your school offers it
  • Stay alert to unusual emails about your account for the next 60–90 days
  • Check whether your school sent official guidance about monitoring your student ID number

Your FAFSA data was not at risk in this incident. FAFSA is processed separately through studentaid.gov, which runs independently of Canvas. If you have questions about how the financial aid application works, our FAFSA step-by-step guide covers the full process.

For students finishing finals who need backup study resources, our guide on how to study effectively in college and tips for saving on college textbooks can help you work around any remaining access issues.

If the stress of finals combined with this security incident is getting to you, our guide on college mental health resources lists what's available at most campuses — including after-hours support.

Footnotes

  1. Inside Higher Ed. (2026, May 11). Instructure Pays Ransom to Canvas Hackers. Inside Higher Ed. https://www.insidehighered.com/news/tech-innovation/administrative-tech/2026/05/11/instructure-pays-ransom-canvas-hackers

  2. The Duke Chronicle. (2026, May 12). Instructure strikes agreement with hackers after Canvas breach hits Duke, thousands of other schools. The Duke Chronicle. https://www.dukechronicle.com/article/duke-university-instructure-reaches-agreement-with-canvas-hackers-shinyhunters-cyberattack-leak-down-stolen-data-ransom-20260512