Hackers Strike Canvas a Second Time, Forcing Education Platform Offline Worldwide

The cybercriminal group ShinyHunters has carried out a second, far more visible attack on the education platform Canvas, briefly seizing login pages at universities around the world on Thursday evening and forcing the platform's American parent company, Instructure, to pull Canvas offline globally. The defacement reached schools and universities in the Netherlands, the United States and the United Kingdom, and has prompted Dutch institutions, including the Vrije Universiteit Amsterdam, to disconnect their systems from Canvas as a precaution.

Rentals in the Netherlands

Signaal tracks the Dutch rental market and notifies you the moment something matches your search. Be first to apply.

A worldwide blackout

Around the middle of Thursday, students and staff trying to log in to Canvas were instead met by a red warning page from ShinyHunters. The message was visible at universities in the Netherlands and abroad for around half an hour before Instructure pulled the platform offline, replacing the login portal with a "Canvas is currently undergoing scheduled maintenance" notice. By late Thursday night, the company said the platform was again available "for most users."

The text on the defaced page mocked Instructure's response. "ShinyHunters has hacked Instructure (again). Instead of contacting us to resolve it, they ignored us and did some 'security patches'," it read in part, while threatening to make the stolen data public.

According to security journalist Brian Krebs, Thursday's defacement effectively serves as public proof that Instructure's claim earlier this week, that the original breach had been "contained" by 2 May, was premature.

Top universities pulled into the dark

Canvas is used by around 41 percent of higher education institutions in North America, and on Thursday a roll call of the world's most prominent universities found themselves on the same defaced page. Harvard, Princeton, Columbia, Stanford, MIT, Cornell, Georgetown, Duke, UC Berkeley, Cambridge and Oxford were all affected.

UC Berkeley's bCourses platform, used by all 43,000 of its students, was taken offline; ShinyHunters claim to have more than 600,000 records from the Berkeley campus alone. Harvard students lost access to Canvas at around 3:30 pm local time, before the site was switched to a maintenance message. The disruption hit at a particularly bad time for many US students, who are in the middle of finals week. Several universities have already extended deadlines or shuffled exam schedules.

The Dutch picture

In the Netherlands, the Canvas pages of both the University of Amsterdam (UvA) and the Vrije Universiteit (VU) Amsterdam displayed the ransom message during the same window, according to BNR Nieuwsradio.

The VU then went a step further, announcing late on Thursday night that, as a precaution, it had disconnected all systems linked to Canvas. Anyone trying to visit the Canvas site is currently redirected to a VU update page. The university has warned that this could "potentially affect teaching and attendance" on Friday. The VU is still waiting for confirmation from Instructure on whether and which of its data was affected.

The UvA, which sits on the same Canvas infrastructure, has confirmed that data of its students and staff was caught up in the original breach. The university says it does not yet know exactly what has been taken, with Instructure still investigating. The UvA stresses that Canvas itself remains "safe to use" and has urged its community to be alert to phishing emails.

According to Universiteiten van Nederland (UNL), the umbrella body for Dutch research universities, the Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology, Maastricht University and the University of Twente have also been affected.

Deadline extended, pressure increased

The original ransom deadline set by ShinyHunters expired on 6 May. The group has now extended it to 12 May, saying that some institutions have entered into ransom negotiations. On its dark web leak site, ShinyHunters now lists around 8,809 schools, universities and online education platforms as victims, with stolen data ranging from tens of thousands to several million records per institution.

The group has previously been linked to attacks on the University of Pennsylvania in late 2025, in which Penn refused a $1 million ransom demand and saw 461 megabytes of internal data ultimately published online. The same group is also blamed for the cyberattack on Dutch telecom provider Odido earlier this year.

A vendor problem, not just a school problem

Cybersecurity experts say the Canvas incident reflects a broader pattern in which attackers target the third-party vendors that sit beneath thousands of institutions, rather than individual campuses. According to Doug Thompson of cybersecurity firm Tanium, this is "a clear pattern we've been watching for the last 18 months." Charles Carmakal of Google-owned Mandiant Consulting added that "there are multiple concurrent and discreet ShinyHunters intrusion and extortion campaigns happening right now."

That structural issue has also been on the radar in the Netherlands. SURF, the IT cooperative for Dutch education and research, carried out a data protection impact assessment (DPIA) on Canvas last year, looking specifically at security risks. Whether any of those findings relate to the current breach is not yet clear.

For now, students and staff at affected Dutch institutions are being asked to be alert to phishing emails using Canvas branding, to change their passwords, and to expect possible disruption to lectures and assignments in the coming days.