Instructure, the parent company of Canvas, says it reached an agreement with the unauthorized actor behind a cyberattack that exposed school-related user data and disrupted access to the education platform.

The company said the stolen data was returned and that it received digital confirmation of destruction through “shred logs.” Instructure also said the agreement covers affected customers and that schools do not need to contact the actor individually.

The announcement may ease immediate fears of a public leak, but it does not eliminate every risk for students, parents, teachers or schools. Instructure said there is “never complete certainty” when dealing with cybercriminals, and the company is still conducting forensic work and reviewing the data involved.

The company said the exposed fields included usernames, email addresses, course names, enrollment information and messages. It said core learning data, including course content, submissions and credentials, was not compromised.

The breach has been linked in public reporting to ShinyHunters, a hacking group that claimed responsibility and threatened to leak data involving nearly 9,000 schools worldwide and 275 million individuals, according to AP reporting. Instructure has not publicly disclosed whether the agreement involved a payment.

Subscribe free for daily political analysis they won’t broadcast. Join 110K+ readers →

The incident also created a policy and oversight consequence. Reuters reported that the House Homeland Security Committee requested a briefing from Instructure CEO Steve Daly or another senior executive about the breach, the amount and nature of data stolen, the company’s response and coordination with federal law enforcement and CISA (The Cybersecurity and Infrastructure Security Agency).

Instructure said the incident involved an issue tied to Free-for-Teacher accounts and that those accounts were temporarily shut down while the company applies additional safeguards. The company also said it has notified law enforcement and is working with outside forensic experts.

For schools and families, the practical concern now is follow-up risk. Even if data is not published, exposed names, emails, course details and messages could still increase the risk of targeted phishing or impersonation attempts.

Subscribe free for daily political analysis they won’t broadcast. Join 110K+ readers →