Massive Canvas Hack Hits Dutch Universities, Millions of Records Stolen
Education software giant Instructure has confirmed a major data breach affecting 275 million people. Hacker group ShinyHunters, also behind the Odido attack, has given the company until 6 May to pay a ransom or see student data leaked online.
A massive cyberattack on education software company Instructure, best known as the parent company of learning platform Canvas, has hit users at universities and colleges across the world, including in the Netherlands. The hacker group ShinyHunters, also behind the recent attack on Dutch telecom company Odido, claims to have stolen data on around 275 million students, teachers and staff at almost 9,000 schools worldwide.
Rentals in the Netherlands
Signaal tracks the Dutch rental market and notifies you the moment something matches your search. Be first to apply.
What was stolen
Instructure has confirmed that names, email addresses, student ID numbers, and messages between users on the Canvas platform were stolen during the attack. According to the company, there is no evidence so far that passwords, dates of birth, government identification numbers, or financial information were involved.
The hackers themselves claim much more. ShinyHunters say on their dark web leak site that they have 3.65 terabytes of data, including "billions of private messages" exchanged between students and teachers, and between students themselves. They also claim to have breached Instructure's Salesforce environment, which is reported to be the entry point used in this attack.
That second category, the messages, is particularly sensitive. Communications inside an education platform can contain conversations about study progress, personal circumstances, disciplinary issues, support requests, or other private exchanges between students and staff.
Dutch institutions affected
Canvas is one of the most widely used learning management systems in the world, and many Dutch universities and colleges of higher education rely on it for everything from coursework and assignments to internal communications. Confirmed Dutch users include Fontys Hogescholen, Maastricht University, Hogeschool Utrecht, the University of Amsterdam (UvA), VU Amsterdam, Erasmus University Rotterdam and Tilburg University.
Maastricht University has informed its students and staff by email that it is aware of the attack. The university says it does not yet know whether data of its own students or staff has been stolen, but states that Canvas is still safe to use.
Who are ShinyHunters
ShinyHunters is a financially motivated cybercriminal group that has been linked to a series of high-profile data thefts in recent years, including attacks on Google, AT&T, Air France-KLM, Microsoft, and Ticketmaster. Earlier this year, the same group was behind the cyberattack on Dutch telecom Odido, which exposed the data of millions of people in the Netherlands.
The group's typical playbook is to steal data, list the victim on a dark web leak site, and demand payment under threat of releasing the data publicly. In Instructure's case, ShinyHunters has set a deadline of 6 May. "Instructure Holdings, this is a final warning," the group wrote on its leak site. "Get in touch before 6 May, otherwise we will leak data and other unpleasant (digital) problems will come your way. Make the right choice — don't be the next headline."
A pattern at Instructure
This is not the first time Instructure has been hit by ShinyHunters. In September 2025, the company disclosed a separate incident in which attackers used social engineering to gain access to its Salesforce instance. At the time, Instructure said no Canvas product data had been accessed and the exposed information was largely public business contact data. The fact that ShinyHunters has now reportedly used a Salesforce vulnerability to attack the company a second time has raised questions about whether the remediation taken after the first incident went far enough.
Instructure has confirmed that the company has applied patches, increased monitoring, and rotated application keys to deal with the breach. Users of certain integrations have been asked to re-authorise their access. As of 3 May, Canvas Data 2 has been restored for all customers globally, but the Canvas Beta and Test environments remain offline for maintenance.
Why education is increasingly a target
Cybersecurity experts say the attack underlines a broader trend: education systems have become attractive targets because they hold large volumes of personal data, often with security budgets that lag behind those of the commercial sector. Education has become "a soft target," one cybersecurity expert told Dutch IT Channel.
The attack also highlights what experts call a single point of failure. Because so many institutions worldwide rely on one platform for their entire teaching process, a single breach affects huge numbers of people at once. For organisations, the question is no longer just whether their supplier was well secured, but how dependent they are on that supplier in the first place, and how quickly they can act if something goes wrong.
What users can do
For students and staff at affected institutions, the immediate advice from cybersecurity experts is to change passwords on Canvas and any linked accounts, and to be especially alert to phishing emails referring to Canvas in the coming weeks. Even though Instructure says no passwords were stolen, the stolen email addresses and student ID numbers can easily be used in targeted phishing campaigns.
The investigation is still ongoing, and Instructure has said it will continue to update users as more becomes clear.
