OTTAWA – A massive cyberattack has targeted the prominent global learning management system ‘Canvas,’ leading to the compromise of personal data belonging to students and faculty at thousands of educational institutions worldwide. In Canada, top-tier schools such as the University of Toronto, the University of British Columbia (UBC), and the University of Alberta are among those affected. The platform’s developer, Instructure, confirmed that the breach exposed sensitive information including full names, email addresses, student identity numbers, and private messages sent through the system. However, officials have stated that there is currently no evidence that passwords or financial information were stolen.
The hacking collective known as ShinyHunters has claimed responsibility for the intrusion, asserting they have exfiltrated roughly 3.6 terabytes of data involving 275 million individuals. The group has issued a ransom demand, threatening to leak the stolen data publicly if payment is not received by May 12, 2026. While the platform has been partially restored, the incident has caused significant disruption, particularly as many universities are currently in the midst of their final examination periods.
In response to the breach, universities have issued urgent safety directives to their campus communities. Students and staff are being advised to update their passwords immediately and to remain highly vigilant against sophisticated phishing emails. Authorities have also issued a stern warning never to share Multi-Factor Authentication (MFA) codes with anyone, as cyber-security experts fear the stolen data could be used to create fraudulent documents or facilitate financial identity theft.
