ShinyHunters Hacks Canvas LMS: Australian Students Hit in 275-Million-Record Breach

On 1 May 2026, cloud learning platform Canvas LMS — used by millions of Australian students and educators — became the centre of the largest education-sector data breach on record. Criminal extortion group ShinyHunters claimed to have stolen 3.65 terabytes of data covering 275 million users at 8,809 institutions worldwide. Dozens of Australian universities, TAFEs, and every major state school department were caught in the blast radius.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

How ShinyHunters Broke Into Canvas LMS

Canvas LMS, developed by Utah-based Instructure, is used by universities, TAFEs, and school systems across Australia and the world to deliver coursework, host assignments, and facilitate private messaging between students and teachers. As of early 2026, Canvas held a dominant position in the Australian higher education market, with adoption reaching into state secondary schools and vocational training providers.

The breach timeline begins on 29 April 2026, when Instructure detected unauthorised activity in its systems and immediately revoked the intruder's access. Despite that initial response, an investigation later revealed the attackers had already exfiltrated a substantial volume of user records. Instructure disclosed the incident on 1 May, acknowledging that names, email addresses, student ID numbers, and private messages had been accessed. The company stated that passwords, dates of birth, government-issued ID numbers, and financial information were not involved.

The entry point was Canvas's Free-For-Teacher account programme — a feature designed to allow individual educators to try the platform at no cost, outside institutional procurement. Instructure confirmed in communications to affected institutions that "an issue" with support tickets associated with these accounts had been exploited. ShinyHunters reportedly used these low-privilege accounts to move laterally through backend systems and exfiltrate data at scale, with the exposure window running from 30 April to 7 May.

A second wave followed on 7 May, when ShinyHunters defaced approximately 330 Canvas institutional login portals, replacing them with ransom demands. This escalation indicated the group retained access even after the initial containment. ShinyHunters set a platform-wide deadline of end-of-day 12 May for Instructure — and a parallel per-institution deadline for schools to negotiate individual settlements or face publication of the full dataset.

On 11 May, Instructure announced it had "reached an agreement" with the extortion group. The company said it retrieved the stolen data and received "digital confirmation of data destruction" through shred logs. Instructure did not disclose the ransom amount. CEO Paul Cowell issued a public apology, stating the company had failed to deliver the "consistent communication" that customers deserved. As The Hacker News reported, ShinyHunters also informed Instructure that no individual customers or institutions would be subjected to further extortion demands.

Australian Universities and Schools Hit Hard

Australia's education sector was disproportionately exposed because Canvas holds a commanding share of the Australian higher education LMS market. Information Age, published by the Australian Computer Society, reported that institutions across the country were individually notifying affected students and staff in line with their obligations under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme.

Among the universities confirmed as affected or actively investigating their exposure are: University of Melbourne, University of Technology Sydney (UTS), RMIT University, University of Sydney, Flinders University, Griffith University, Adelaide University, University of Canberra, Queensland University of Technology (QUT), and Australian Catholic University.

The breach extended well beyond universities. The Queensland Department of Education confirmed its QLearn platform — which runs on Canvas — was affected. The New South Wales, Western Australian, and Victorian Departments of Education all use Canvas for teaching and professional development. Victoria's education department was still recovering from a separate breach in January 2026 when this incident struck. TasTAFE was also listed among affected institutions, alongside private secondary schools including Brisbane Grammar, Sacred Heart College Geelong, and Mentone Grammar.

The timing magnified the disruption. The breach coincided with the examination and assessment period at many Australian universities. UTS, RMIT, Adelaide University, and the Queensland Department of Education temporarily disabled Canvas access as a precautionary measure. Several universities announced assignment and examination extensions for affected students, with academic staff left managing the administrative and pastoral fallout from a platform outage during the most critical period of the academic calendar.

Australia's National Office of Cyber Security confirmed it was coordinating a national response, and the ACSC's ReportCyber portal received a surge in reports from affected institutions and individuals. At 8,809 institutions affected globally — spanning universities, secondary schools, and government education bodies across more than a dozen countries — this breach is considered the largest education-sector data breach on record, according to security researchers cited by Malwarebytes.

The Attack in Detail: Free-For-Teacher Accounts and a Two-Wave Breach

Who is ShinyHunters?

ShinyHunters is a prolific criminal extortion group with a history of high-profile breaches. The group was responsible for the Ticketmaster and Snowflake-linked breach in 2024, which exposed data for hundreds of millions of customers. Their operating model is consistent: breach a platform, exfiltrate bulk data, demand payment, and threaten public release. Their willingness to target education institutions — which typically have lower security maturity than financial or government entities — reflects a deliberate choice to exploit softer targets with high data volumes.

The Free-For-Teacher attack vector

The Free-For-Teacher programme allows individual educators to sign up for a Canvas account without going through institutional procurement. These accounts sit entirely outside the enterprise provisioning workflows a university or school system would normally apply to bulk account creation — meaning they bypass the vendor management controls an institution would typically enforce on account lifecycles, access scoping, and data segregation.

According to Instructure's own disclosure and a technical advisory published by Bitdefender Australia, ShinyHunters exploited a vulnerability in how these Free-For-Teacher accounts processed support ticket data. By submitting crafted support requests, the attackers were able to access data fields beyond the scope of their own account, ultimately reaching tenancy-wide data stores. This is a form of privilege escalation or insecure direct object reference — a class of flaw that allows a low-privileged user to read records belonging to other accounts in a multi-tenant system.

What was — and wasn't — stolen

Instructure confirmed the following categories of data were accessed: full names, email addresses, student and staff ID numbers, and private messages between users. The company stated that passwords, dates of birth, government-issued identification numbers, and financial information were not involved.

That framing deserves scrutiny. While passwords were not directly stolen, the combination of name, institutional email address, student ID, and private message content is highly valuable for targeted phishing campaigns. An attacker who knows your full name, your exact university email address, your student number, and the substance of a recent conversation with a lecturer has everything needed to craft a convincing impersonation of your institution's IT support, finance office, or academic administration. Generic phishing is difficult to fall for; hyper-targeted phishing that references real conversations is substantially more dangerous.

The second wave and the ransom settlement

After Instructure's initial containment on 29 April, ShinyHunters re-entered via different compromised Free-For-Teacher credentials and, on 7 May, defaced 330 Canvas login portals. This demonstrated that the original mitigation was incomplete and the Free-For-Teacher attack surface had not been fully closed. The group set an institutional deadline of 12 May, offering individual schools the option to negotiate their own data deletion separately from Instructure's platform-wide response.

Instructure's 11 May agreement was a platform-wide settlement. The "shred logs" provided as proof of deletion offer limited independent assurance — as Malwarebytes and other security analysts noted, there is no reliable mechanism by which a victim organisation can verify that a criminal group has permanently destroyed exfiltrated data. Instructure's statement that "ShinyHunters informed them that no customers would be extorted" is entirely the attacker's representation, and carries the trust weight you might expect from that source.

What Australian Students, Educators, and Parents Should Do Now

Check whether your institution uses Canvas

If you or a family member attends or works at a university, TAFE, or state secondary school in Queensland, New South Wales, Victoria, or Western Australia, treat your data as affected unless your institution has explicitly confirmed otherwise. Check your institution's cybersecurity notice page or student portal for incident-specific guidance. Instructure maintains a public incident update page at instructure.com/incident_update with current information and affected institution FAQs.

Expect targeted phishing — and prepare for it

This is the most immediate and practical risk. ShinyHunters' dataset includes email addresses, student IDs, and message history. In the weeks and months following this breach, expect to receive emails that reference your actual student number, your lecturer's name, or the content of real conversations you had through the platform. These are social engineering attacks — not generic scam blasts.

Practical steps:

• Be sceptical of any unexpected email about Canvas, course changes, fee notices, IT password resets, or "account verification" requests — even if the email uses your correct name and student ID.
• Verify urgent requests by calling or physically visiting the sender's department. Do not click links in emails you weren't expecting, even from addresses that look legitimate.
• Report suspicious emails to your institution's IT security team and, if appropriate, to the ACSC via ReportCyber (cyber.gov.au/report).

Strengthen your account security now

Even though passwords were not confirmed stolen, your Canvas-linked email address is now known to a criminal group with demonstrated capability to mount targeted attacks. Take these steps immediately:

• Change your university or institutional email password — especially if you use that same password, or a variation of it, on personal accounts. Reusing institutional credentials on personal services is common among students and is exactly what credential-stuffing attacks rely on.
• Enable multi-factor authentication (MFA) on your university account and every connected service — Microsoft 365, Google Workspace, library portals, learning portals, and any other platform linked to your institutional email.
• Check for unfamiliar email forwarding rules in your university email account. Attackers who gain even brief access to an email account often plant silent forwarding rules that continue to deliver copies of your email long after the breach is resolved.
• Ensure each of your accounts uses a unique password. A password manager makes this tractable at scale — you only need to remember one strong master password, and the tool generates and stores distinct credentials for every service.

Monitor for identity fraud

Names, institutional email addresses, and student ID numbers — combined with other data available on the dark web or through public records — can be assembled into more complete identity profiles. If you are concerned about medium-term identity theft risk, consider placing a free alert on your credit file with Equifax Australia, illion, or Experian Australia. This prompts a verification call before any new credit application is processed in your name.

What This Breach Means for EdTech Vendor Risk in Australia

Notifiable Data Breaches obligations for institutions

Under Australia's Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, entities covered by the Act must notify both affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm. Education institutions that use Canvas as a data processor are still the "data controllers" under Australian law — meaning they, not Instructure, hold the primary compliance obligation for the personal data of their students and staff.

Institutions still assessing their exposure need to act quickly. The NDB scheme generally expects notification within 30 days of an entity becoming aware of an eligible data breach. Given that Instructure disclosed the breach on 1 May, that clock has already started. Institutions that have not yet notified affected individuals should seek legal advice as a matter of priority.

The OAIC has indicated it expects meaningful notifications — not boilerplate communications — that clearly explain what data was accessed, what risks that exposure creates, and what specific steps affected individuals should take. An email that says only "we are investigating an incident" does not meet the NDB notification standard.

Third-party vendor risk: lessons from the Free-For-Teacher vector

The Canvas breach is a textbook case of third-party vendor risk materialising at institutional scale. Australian universities and school systems did not fail their own internal security controls — they trusted a vendor whose product contained an exploitable feature that was inadequately secured. The Free-For-Teacher attack vector is particularly instructive: a user-acquisition feature sitting outside enterprise procurement workflows became the entry point for a breach affecting enterprise customers globally.

Australian organisations procuring SaaS platforms — in education or otherwise — should take several lessons from this incident:

• Map all data processing relationships with SaaS vendors, including which vendor-side features (such as free trial accounts or developer sandboxes) sit outside the contractual scope of your enterprise licence but may still have access to your tenancy data.
• Require vendors to disclose all third-party account types that could reach your tenancy's data — and include contractual obligations to notify you if those account types are compromised.
• Review data processor agreements to confirm breach notification timelines and response obligations are contractually mandated. Instructure's initial communication timeline drew significant criticism from affected institutions.
• Include third-party SaaS platforms in annual risk assessments. Platforms holding high-volume personal data — like an LMS — warrant a higher tier of scrutiny than platforms handling non-personal operational data.

The ACSC Essential Eight and SaaS security

The Australian Signals Directorate's ACSC Essential Eight framework does not directly address third-party SaaS risk, but its guidance on application control, restricting administrative privileges, and multi-factor authentication is directly relevant to reducing the downstream exposure from incidents like this one. Specifically, Essential Eight recommends MFA for all users accessing important data repositories — an obligation that extends to the SaaS platforms those users are authorised to access.

For individual students and educators, the practical lesson from this breach is consistent with what security researchers have emphasised after every major credential incident: strong credential hygiene — unique passwords per service, MFA wherever available, and a password manager to make both tractable — remains the most effective individual defence against the downstream effects of breaches at platforms you did nothing wrong to use.

The Canvas breach will not be the last incident of this type. The education sector's combination of large user bases, relatively lower security investment compared to financial services, and platforms built to maximise accessibility makes it a persistent target. Australian universities and school systems that have not yet conducted a formal vendor risk assessment of their SaaS portfolio should treat this incident as a prompt to do so before the next one lands.

Related reading

• Booking.com Data Breach 2026: What Australians Need to Know
• 16 Billion Passwords Leaked: What Australians Must Do Now

The views expressed in this article are editorial opinion and general information only. They do not constitute professional security, legal, or financial advice. Always verify details with primary sources and consult a qualified professional before making security decisions based on this content.