A major cyberattack on the Canvas education platform has exposed personal data from 44 Dutch universities and schools, part of a global breach affecting over 275 million people across 9,000 educational institutions worldwide. The incident highlights the growing vulnerability of educational technology platforms that have become essential infrastructure for modern learning.
The hacking group ShinyHunters claims responsibility for the attack and has published a list of victims on the dark web. The group says it accessed a database belonging to Instructure, the company that develops Canvas, one of the world’s most widely used learning management systems.
The scope of the breach in the Netherlands includes major institutions like the University of Amsterdam and Vrije Universiteit Amsterdam, alongside applied sciences universities such as Windesheim and The Hague University of Applied Sciences. Secondary schools like Deltion College in Zwolle and the Grafisch Lyceum in Haarlem also appear on the victim list.
The stolen data contains sensitive personal information including:
- Student and staff names
- Email addresses
- Student identification numbers
- Private messages exchanged between users on the platform
ShinyHunters has set a May 7 deadline for payment, offering individual negotiations with affected institutions. The group warns that data will be publicly released if organizations refuse to pay. “If schools in the list are interested in preventing the release of their data, contact us privately to reach an agreement,” the hackers stated in their message.
Instructure has reportedly refused to meet the hackers’ demands, leaving individual institutions to decide whether to negotiate separately. This situation creates a complex ethical and security dilemma for educational leaders who must weigh the immediate protection of student privacy against the broader principle of not rewarding cybercriminals.
The attack represents the latest in a series of high-profile breaches by ShinyHunters, a group that has become increasingly aggressive in targeting service providers that offer access to multiple organizations. This strategy allows them to maximize damage through single attacks, as seen in their previous strikes on Odido (affecting 1.5 million Dutch accounts), Ticketmaster in 2024, and Pornhub in 2025.
Despite their global impact, ShinyHunters operates as a relatively small collective with only a handful of core members reportedly based in Canada and France. Their focus on platforms that serve multiple clients makes them particularly dangerous to sectors like education, where centralized services have become critical infrastructure.
The Canvas breach underscores the broader cybersecurity challenges facing educational institutions as they increasingly rely on cloud-based platforms for teaching, learning, and administration. With millions of students and educators dependent on these systems, the attack demonstrates how educational technology has become a high-value target for cybercriminals seeking large-scale data theft and ransom opportunities.