Back
Technology

Canvas Learning Platform Security Incident Affects Millions of Users Globally

Generated on: Last updated: 15 sources
View source

Canvas Data Breach: Millions of Users Affected in Global Cybersecurity Incident

A cybersecurity incident affecting Instructure's Canvas learning management system has resulted in the compromise of personal data belonging to millions of users across thousands of educational institutions worldwide.

The incident, which came to light in early May 2025, involved unauthorized access by a criminal threat actor. Instructure later reported reaching an agreement with the actor for the return and destruction of the stolen data.

Incident Timeline

  • April 25–29, 2025: Unauthorized access occurred, originating from a vulnerability in support tickets within Instructure's Free for Teacher accounts.
  • May 2, 2025: The security breach was reported to have occurred (Australian time).
  • May 7, 2025: Users at some affected institutions reported seeing a ransom message from the hacking group ShinyHunters upon attempting to log in.
  • May 12, 2025: ShinyHunters had threatened to leak data unless a settlement was reached by this date.
  • Following the breach: Instructure reported it had reached an agreement with the unauthorized actor for the return and destruction of the stolen data. The company stated the data had been returned and digital confirmation of its destruction provided.

Scope of Impact

Global Reach

The breach affected approximately 8,800 to 9,000 educational institutions worldwide, including schools, universities, and vocational facilities in Australia, the United States, and Canada. Estimates of the number of affected individuals ranged from 200 million to 275 million users.

Affected Australian Institutions

Confirmed or reported affected entities include:

Queensland: State schools using QLearn (since 2020), Queensland University of Technology, Griffith University, University of the Sunshine Coast

New South Wales: University of Technology Sydney (UTS), University of Sydney, Western Sydney University, University of Newcastle, Australian Catholic University, 54 public schools (as reported by the NSW Department of Education), The King's School, Barker College, Reddam House

Victoria: University of Melbourne, RMIT University, Melbourne Grammar School, Melbourne Archdiocese Catholic Schools

South Australia: Flinders University

Tasmania: TasTAFE, Tasmanian state schools

National: Victorian Department of Education, Queensland Department of Education

Data Compromised

According to Instructure and various institutional statements, the compromised data may include:

  • Names
  • Email addresses
  • School locations (fields of study/institutional affiliation)
  • Student identification numbers
  • Private messages exchanged between users (teachers, students, parents)

Data Not Compromised

Multiple sources reported no evidence that passwords, dates of birth, government identifiers (e.g., driver's license, passport numbers), or financial information were accessed.

Instructure also stated that core learning data such as course content and submissions were not compromised.

Perpetrator and Response

Attribution

The hacking group ShinyHunters claimed responsibility for the attack. According to cybersecurity industry website BleepingComputer, the group stated they obtained 3.65 terabytes of data and demanded an undisclosed ransom. Reports indicated a demand of approximately $US10 million.

Instructure Response

  • Engaged external cybersecurity specialists to investigate the incident.
  • Secured its systems and engaged law enforcement, including the FBI.
  • Temporarily disabled Free for Teacher accounts, which contained the exploited vulnerability.
  • CEO Steve Daly apologized for the breach and communication issues, stating: "Over the past few days many of you dealt with real disruption... You deserved more consistent communication from us and we didn't deliver it."
  • Reportedly reached an agreement with the unauthorized actor for the return and destruction of stolen data.

Instructure stated: "While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind." The company did not explicitly confirm a ransom payment.

  • As of May 7, Canvas was available for most users; a full restoration timeline was unclear. UTS shut down its system as a precaution, granting all students an automatic assignment extension.

Government and Institutional Response

  • National Cyber Security Coordinator Michelle McGuinness stated her team was coordinating efforts with state and territory governments and education peak bodies. She noted no evidence of compromised personal identification documents or financial information and advised the public not to search for data on the dark web or engage with the threat actor.
  • Queensland Education Minister John-Paul Langbroek stated that school principals were contacting families and teachers. The Department of Education provided "priority support" to families known to child safety authorities or those with a history of domestic and family violence.
  • The Queensland Department of Education stated QLearn restoration was on track for May 13 and cybersecurity measures would be strengthened.
  • Multiple institutions, including UTS, the University of Sydney, RMIT, and the University of Melbourne, reported working with Instructure to confirm if their data was compromised and assess potential impacts.
  • The King's School in Sydney reported an internal investigation found unauthorized access between April 25 and 29. Instructure has secured systems and involved the FBI.
  • A class action was filed in US federal court in Utah alleging Instructure failed to adequately protect its platform.

Warnings and Expert Commentary

Cybersecurity experts warned that stolen data, despite the agreement for its destruction, could still be used for personalized phishing scams.

Former Australian Cyber Security Centre head Alastair MacGibbon described the incident as a "significant failure" and called for improved defenses. He noted that "reaching an agreement" is commonly understood as paying a ransom, and that criminal assurances of deletion have historically proven inaccurate. Paying ransom to hackers is legal in Australia unless the hackers are a sanctioned entity.

Broader Context

The incident highlights security risks associated with centralized digital learning platforms. Cybersecurity company ProofPoint noted that educational institutions are attractive targets due to the large amount of personally identifiable information they hold.

This breach follows other cybersecurity incidents affecting Australian educational institutions, including a January 2025 cyberattack on the Victorian Department of Education and a 2025 incident at Scotch College. ShinyHunters previously claimed a breach of Instructure in 2024 via third-party software.