Names, email addresses, student numbers, and correspondence between students and teachers are said to have been stolen in a hack targeting Instructure, the US-based company behind Canvas. The company confirmed the incident last Friday.

The hacker group ShinyHunters, previously linked to the large-scale breach at Dutch telecom provider Odido, has claimed responsibility for the attack and says it has obtained data from 275 million students, teachers, and other users. The group claims that Dutch students are also included in the stolen dataset.

At least nine Dutch institutions affected

TU/e is among several Dutch higher education institutions that use Canvas, along with the University of Amsterdam, Vrije Universiteit Amsterdam, Erasmus University Rotterdam, Tilburg University, Maastricht University, the University of Twente, Utrecht University of Applied Sciences, and Fontys University of Applied Sciences. The platform is widely used by lecturers to distribute course materials and assignments.

Students use Canvas to check schedules and grades, and can also send messages to classmates and instructors within the platform. According to the hackers, all of this data—though not passwords—has been accessed.

It is still unclear how ShinyHunters managed to obtain data from so many institutions. Instructure has reportedly been given until Wednesday to pay a ransom, or the hackers will begin releasing student data publicly. The group previously carried out a similar tactic in a 2024 attack on Dutch telecom company Odido, after it refused to pay a €1 million ransom.

Widely used globally

Instructure, founded in 2008, is best known for Canvas, its learning management system. Around 9,000 educational institutions worldwide use the platform. In 2024, the company was acquired for $4.8 billion by investment firm KKR.

A defining feature of Canvas is that it does not run on university or college servers, but on Amazon Web Services (AWS). Institutions receive their own login environments, while Instructure manages the software and data.

In principle, data from different institutions is strictly separated, according to a privacy audit conducted last year by Dutch IT cooperative SURF. However, this apparently did not prevent hackers from accessing data belonging to millions of users.

Negotiations

According to Dutch broadcaster BNR, ShinyHunters is also urging individual educational institutions to negotiate ransom payments directly in order to keep their data private. This could indicate that Instructure is refusing to pay. BNR reports that 44 Dutch institutions may have been affected, although that number appears inaccurate, as some listed institutions do not use Canvas.

TU/e is currently assessing the potential impact of the data breach. The university says it will provide updates once more clarity becomes available, and further reporting will follow in a separate article.

This article was translated using AI-assisted tools and reviewed by an editor