Stolen Canvas data was “returned” after hacker agreement, Instructure says
The Instructure/Canvas data breach that has dominated cybersecurity coverage recently has reached a new stage.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
Millions of students had personal data stolen, with extortion group ShinyHunters claiming credit for the data breach and applying extra pressure for their ransom demands by bothering Canvas users directly.
Which seems to have paid off. On the Instructure web page about the recent data breach, a status update dated May 11, 26 says:
“We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.
With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident.”
This implies that Instructure has paid ShinyHunters. At least some of that money will almost certainly go toward funding future cybercrime operations. Whether companies should ever pay ransomware or extortion demands remains a contentious debate, and that is not an argument I want to reignite here.
What I don’t understand is the next phrase in the update:
“The data was returned to us.”
While that may be intended to sound reassuring, in cybersecurity, data is not a borrowed laptop or a misplaced folder. Once copied, it can be copied again, and again.
That matters because the incident wasn’t just about temporary access. Instructure said the unauthorized access involved usernames, email addresses, course names, enrollment information, and messages.
Data cannot simply be “returned”
So, when a company says the data was “returned” and “shred logs” were provided, the real question is not whether the attackers still possess the original files. It is whether copies were made, whether those copies were shared and with whom. So, in essence, whether the breach’s downstream risks have actually been eliminated. While these types of cybercriminals tend to operate on trust, digital data does not come with a guaranteed recall function.
The good news is that Instructure says no passwords, dates of birth, government identifiers, or financial information were involved. But names, email addresses, course details, and private messages are still enough to fuel highly targeted phishing and social engineering long after the headlines fade.
For students and families, the practical advice from our original blog still applies:
- Reset Canvas‑related passwords
- Enable multi‑factor authentication where possible
- Monitor financial and credit activity as children get older
- Stay wary of highly personalized phishing that references real schools, courses, or teachers
Your name, address, and phone number are probably already for sale.
Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way.
Article Link: https://www.malwarebytes.com/blog/news/2026/05/stolen-canvas-data-was-returned-after-hacker-agreement-instructure-says
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Sp123
"An underestimated security threat to organizations is employee apathy and burn out."
