- The University
- 08/05/2026
Canvas hackers extend ransom deadline by six days
Hackers group ShinyHunters has given educational institutions six more days to pay ransom money, while ramping up the pressure with a new breach. The group is threatening to publish the data of 275 million Canvas users worldwide, including TU/e staff members and students. The chances of TU/e giving in appear slim, according to a spokesperson.
Last week, it became known that personal data belonging to students and lecturers had been stolen. The data came from Canvas, an educational platform used by around nine thousand institutions worldwide. The attack was claimed by ShinyHunters, a hacking group previously linked to the Odido breach.
Latest update: “breached again”
On Thursday evening, the hackers posted messages on several Canvas websites, including those of Dutch institutions. They claim to have breached the platform again. Update at 12:00 p.m.: TU/e has disconnected all systems that were connected to Canvas.
Initially, Instructure, the American company behind Canvas, had until Wednesday to pay the ransom before all the data would be made public. But the deadline has now been extended by six days, ShinyHunters reported on its website.
According to the group, several institutions have reached out. It did not specify which institutions or from which countries they are. Universities and universities of applied sciences now have until May 12 to negotiate in order to keep their data private. According to the hackers, Instructure itself has not yet made contact.
‘Do not pay ransom’
In the Netherlands, seven universities and at least two universities of applied sciences use Canvas. These include the two Amsterdam universities, Erasmus University Rotterdam, Tilburg University, Maastricht University, University of Twente, and Eindhoven University of Technology, as well as HU University of Applied Sciences Utrecht and Fontys University of Applied Sciences. Students and staff are being urged “to remain alert for possible phishing emails following the data breach,” umbrella organization Universities of the Netherlands wrote.
Following the Odido hack, the Dutch government strongly advised against paying ransom to hackers. There is no guarantee that hackers will keep their promises. “Paying ransom sustains the criminal business model,” Minister of Justice and Security David van Weel wrote at the time.
A matter of principle
TU/e is following the government’s advice, spokesperson Ivo Jongsma said in a written response: “The Dutch government strongly advises against paying ransom in the event of cyberattacks. In line with that advice, we do not believe it is wise to be open to negotiations.”
“Opening the door to negotiations could create the impression that there is something to gain from targeting us, potentially inviting further attacks. Moreover, as a matter of principle, we do not negotiate with criminals.”
This article was translated using AI-assisted tools and reviewed by an editor
Discussion