ShinyHunters breach of Canvas LMS hits Australian schools and universities

Australian universities, state education departments and private schools are among the customers exposed by a breach of Instructure's Canvas learning management system. The extortion group ShinyHunters has claimed responsibility, saying it took 3.65 terabytes of student and staff data.

Instructure, the Salt Lake City-based vendor, confirmed the incident on 3 May. That was two days after it pulled parts of Canvas Data 2 and Canvas Beta offline. Attackers used a vulnerability in the platform to access user records before the flaw was patched, the company said. ShinyHunters claims the leaked dataset covers roughly 9,000 institutions, 275 million students, teachers and staff, and 231 million unique email addresses.

Instructure has not endorsed those numbers. Spokesperson Kate Holmes told TechCrunch that over 8,000 institutions partner with the company for teaching and learning. Canvas holds a 43 per cent share of the North American learning management market. It is also heavily used in Australia and New Zealand, where universities shifted teaching online during the pandemic and never pulled back.

Australian institutions on the list

Australian users on the affected institution list include the University of Technology Sydney, RMIT University, the University of Newcastle, the University of Adelaide, Flinders University and the Australian Catholic University. Independent schools named include Brisbane Grammar, Sacred Heart College in Geelong and Mentone Grammar in Melbourne.

State education departments in NSW, Victoria and Western Australia also appear on the leak list. So does TasTAFE, which confirmed student data had been compromised. Queensland Education Minister John-Paul Langbroek said on Thursday that the state's QLearn platform, used by Queensland public school students since 2020, was also caught up. The department is working with Instructure and the Australian Cyber Security Centre to determine which student records were taken, Langbroek said.

The University of Technology Sydney told students its Canvas service was "currently operating as normal" and warned them to "beware scam emails about the breach or asking them to sign in or reset a password". RMIT and the Australian Catholic University issued similar notices and said they were waiting on confirmation from Instructure about which staff and student records sat inside the leaked dataset.

How the breach unfolded

Instructure says the intrusion began around 30 April. It spotted suspicious activity in its production environment on 1 May and pulled Canvas Data 2 and Canvas Beta offline the same day. A customer notice on 2 May warned of a possible incident. An updated disclosure on 3 May confirmed that personal data had been accessed.

ShinyHunters claimed the breach the same day on a leak forum and posted a partial sample. The group set a ransom deadline of 6 May for Instructure to pay or have the dataset published. Instructure has not said whether it engaged with the extortion demand. The company has reported the breach to United States law enforcement and is working with external incident responders, according to a notice on its trust portal.

What was taken

The exposed data is limited to names, personal email addresses, student identification numbers and messages between Canvas users, Instructure says. The company found no evidence that passwords, dates of birth, government identifiers or financial information were compromised.

ShinyHunters separately claims to have taken billions of private messages between students and teachers, plus a Salesforce instance linked to Instructure. The group has not produced evidence for the message volume figure. Security researchers who have reviewed sample records say the data appears genuine but partial. Some institutions are present in name only, with no associated user records visible in the sample.

Patch and rotate

Instructure has patched the underlying vulnerability, increased monitoring and rotated application keys for customers using its API. Customers have been required to re-authorise integrations with new keys. Chief information security officer Steve Proud has briefed enterprise customers in a series of calls this week.

Anton Dahbura, executive director of the Information Security Institute at Johns Hopkins University, said the incident showed the limits of platform consolidation in education. "The Canvas breach is a reminder that no platform is immune: there are countless widely used systems that remain attractive targets for sophisticated bad actors, including nation-states," he said.

What to watch

Australian universities and state education departments are required under the Notifiable Data Breaches scheme to notify the Office of the Australian Information Commissioner and affected individuals where serious harm is likely. Several institutions on the leak list have yet to confirm whether their own user data sits inside the archive ShinyHunters is offering for sale.

Instructure has said it will notify customers directly as it identifies which records are inside the stolen archive. Affected staff and students should expect targeted phishing and credential reset scams in the weeks ahead. The Australian Cyber Security Centre is expected to issue an advisory once it has reviewed the leaked sample data.