Instructure said it reached an agreement with the unauthorized actor behind the Canvas cyberattack, after the breach disrupted instruction for colleges and K-12 districts during finals. The company reported that stolen data was returned and it received “digital confirmation” that remaining copies were destroyed, while it also noted it cannot provide absolute certainty. The ShinyHunters group claimed responsibility for stealing data from roughly 9,000 institutions and up to 275 million users, creating an extortion timeline that pushed many campuses to contingency plans while waiting for public updates. Instructure’s disclosures also indicated the incident involved student and educator identifiers and course-related information, while passwords and financial data were not found to be compromised. Several campuses and districts issued alerts after threat activity targeted Canvas accounts, underscoring how LMS dependencies can quickly become operational risks—not just isolated IT events. Higher education leaders and campus technology offices are now likely to re-examine vendor incident-response processes and expectations for data deletion verification. In parallel, additional coverage focused on how SaaS systems used by education providers are increasingly becoming “target rich, resource poor” environments for ransomware and extortion campaigns, raising pressure for stronger third-party governance and continuity planning.