Canvas Is Back Online. But 275 Million Stolen Student Records Didn't Disappear.

What "back online" actually means

Instructure restored access to the Canvas platform. Teachers can post materials. Students can submit assignments. The website works again.

What it does not mean:

• The 275 million stolen records were recovered. They weren't. ShinyHunters still has them.
• The stolen data was deleted. There is no confirmation of this. Criminal extortion groups do not reliably delete data after payment or after their deadline passes.
• Affected students are no longer at risk. They are still at risk — potentially for years.
• The architectural problem that caused the breach was fixed. It was not. Instructure still stores all student data on their central servers. The same breach could happen again for the same reason.

What's still out there

According to Instructure's own disclosures and reporting by TechCrunch, the stolen data includes:

• Names of students, teachers, and staff
• Institutional email addresses
• Student ID numbers
• Private messages exchanged within Canvas between students and teachers

ShinyHunters claimed records from 9,000+ institutions and 275 million individuals. TechCrunch reviewed a sample of the stolen data and confirmed its authenticity.

That data does not disappear because Canvas turned its servers back on.

The long-term risk to students

Cybersecurity experts are consistent: the impact of this type of breach is often felt months or years after the initial incident.

Here is what the stolen data enables:

Targeted phishing. An attacker with a student's name, institutional email, student ID number, and the content of their private Canvas messages can craft extremely convincing phishing emails — impersonating professors, financial-aid offices, or classmates using real names and real course contexts.

Identity correlation. Combined with previous breaches — PowerSchool (2024), Chegg (2018), EAB (2021) — attackers can build comprehensive profiles enabling account takeovers, credential stuffing, and social engineering.

Institutional impersonation. The stolen data gives attackers enough context to convincingly impersonate university administrators and IT departments in targeted campaigns against students and families.

What schools should ask right now

The moment Canvas comes back online is exactly when institutional technology leaders should be asking hard questions — while the memory is fresh and before the next procurement cycle buries it.

Where does our student data physically live?

If the answer is “on the vendor's servers,” a breach of that vendor exposes your students. Every major LMS vendor operates this way. Canvas does. Blackboard does.

What would a breach of your systems expose from our institution?

For Canvas this week: everything. Names, emails, student IDs, private messages — from every institution on their platform, all accessible from one attack.

Can we connect our own database?

This is the BYODB question. If a vendor supports institutions connecting their own database, student data never leaves institutional infrastructure. A breach of the vendor exposes only configuration data — not student records.

The architecture that prevents this

SetFlow was built with a different answer to where student data lives.

BYODB — Bring Your Own Database — means institutions connect their own PostgreSQL-compatible database. Student names, emails, IDs, grades, submissions, and messages are written to the institution's own database. SetFlow's servers never permanently store student records.

Under BYODB, a breach of SetFlow's servers exposes institution configuration and AES-256 encrypted connection strings. Not student records. Because student records are not on SetFlow's servers.

You don't have to replace Canvas

SetFlow supports full LTI 1.3 Advantage integration. Institutions can add SetFlow alongside Canvas — students access SetFlow directly from inside Canvas with automatic login, grades pass back to Canvas automatically.

Schools can use SetFlow's BYODB architecture and AI features while maintaining their existing Canvas contract. When the contract comes up for renewal, they have a tested alternative ready.

Setup takes 30 minutes. Credentials at getsetflow.app/lti/credentials.

Tori: AI that actually acts

SetFlow includes Tori — an AI that works differently from Canvas's bolted-on AI.

For students: Tori reads lecture notes, builds personalized study plans, generates flashcards and practice exams, gives feedback on drafts before submission, and sends daily morning briefings.

For teachers: Tori generates rubrics and quiz questions from course content, provides AI-assisted first-pass grading for review and override, and drafts class announcements.

Tori is structural. Canvas AI is an add-on. The difference matters when you're evaluating what actually helps students learn.

What affected schools should do

Today: Notify students that while Canvas is restored, stolen data remains exposed. Alert them to watch for phishing attempts using Canvas-related language, course names, or professor names.

This month: Evaluate whether your LMS vendor's data model is acceptable going forward. The question is not whether Canvas is a good product. The question is whether centralizing student records on a vendor's servers is an acceptable institutional risk.

SetFlow's offer: Free 90-day institutional pilot with full BYODB setup, LTI integration support, and direct founder access throughout. No commitment. No per-seat fees during pilot.

Contact [email protected] or visit getsetflow.app/companies.

The bottom line

Canvas being back online is good news for students who needed to submit finals.

It is not good news for 275 million people whose data is still with ShinyHunters. It is not a fix for the architectural model that made the breach possible. And it is not a reason to stop asking the questions this week forced everyone to ask.

The centralized model will be breached again. The question for every school is whether their students' data will be in that breach.