Oh dear. A few things are to be considered here.
First of all, since the purpose of a warrant canary is primarily to inform users of a service about whether they received something like a national security letter it has been designed in a very particular way. A canary like this is supposed to be renewed regularly up to the point when it doesn't apply anymore. If they receive a NSL or something like it, it won't be renewed anymore.
Their last canary is actually from the 16th of August, as you may see here: https://riseup.net/canary They were a few days late on their last one which is rather problematic as a system like this relies on precise updates. Being even a day of is considered problematic as the whole point of this system are permanent, predictable updates. If they aren't made in the same manner and in the same time-window, they shouldn't be considered "untainted", since such behavior would go against the concept and the way it provides security as a whole.
That being said, even though they published a (late) canary in August, canaries aren't faultless. A NSL can ask a service-provider to keep their canary up as a facade, even though they have been compromised.
The tweet from the 11th thus could be a hint on something like this happening. "don't listen to me" also is a very specific choice of wording/quotation. If a service like Riseup would hypothetically have been compromised, such a tweet would be the only way to alarm users without breaching laws.
Furthermore, their behavior on this is quite strange. When they posted it on the 11th, the first reactions on 19th made a connection to their canary and a potential breach. However, it took them until the 21st to simply post a quote from their FAQ without stating any substantial information. If a false assumption in this regard has been made, a more concrete answer would be far smarter.
Adding to that it took them another three days to react to the even bigger concerns created by that tweet. Their last tweets contained concerning wording like:
There is no need for panic
Saying "Don't panic!" is, at least from my point-of-view appropriate on the back of some kind of guide, to some kind of galaxy, but not for a service upon which dissidents around the planet/galaxy rely.
In conclusion, while at this point in time, we may only speculate, there are a few things we can definitely record:
1.) Riseup didn't use their warrant canary as it should have. Problematic
2.) They made a quite obscure tweet which, at least from my perspective, they could hardly not notice to contain a very specific subtext, when you keep in mind who they are.
3.) Their current communication is sub optimal at best.
4.) If they had actually received a NSL, it could tell them to keep the warrant canary up, despite them being compromised.
It's hard to make something out of this, without speculating.
Have a nice day,
P.S.: By the way, Google is currently warning Journalist because apparently some kind of "government-based attacker" tried to access their account. Eerie. Source: http://arstechnica.com/security/2016/11/google-warns-journalists-and-professors-your-account-is-under-attack/