Edit 08.05: This article has been edited to include contact information of the ICT Service Desk for University of Amsterdam students.
By Komari Machida and Cadence Chua
This is a developing story. Information in the article was accurate at the time of publication.
On the night of 7 May 2026, student group chats erupted in chaos as university Canvas pages appeared to be breached for the second time this week. The website read, “SHINYHUNTERS, rooting your systems since ‘19 ;)”, revealing it as the work of ShinyHunters, a notorious criminal hacker group.
About an hour after the hack was detected by AUC users, Instructure took down the site, with the website reading, “Canvas is currently undergoing scheduled maintenance”. Additionally, on the morning of 8 May, UvA has “made Canvas completely unavailable as a precaution”, and promised users updates.
According to the group’s list, the hack has affected 44 Dutch universities as well as other institutions globally. This includes the University of Amsterdam (UvA), Vrije Universiteit Amsterdam, and other top universities like Harvard University, the University of Oxford, and Massachusetts Institute of Technology. Corporate clients that use Canvas, such as Anthropic, the parent company of Claude, as well as Apple, Cisco, and Amazon, were also affected. 231 million people have been impacted worldwide.
Based on a report by TechCrunch, this is the second breach this week. The first breach on 4 May gave Instructure until the 6th to respond to the group’s attacks. However, ShinyHunters claims that the company “ignored” them instead of resolving it, which motivated their second attack. According to a statement by Instructure, data stolen in the first breach included identifying information such as names, email addresses, student ID numbers, and messages exchanged on Canvas. They claimed they found no evidence of leaks of “passwords, date of birth, government identifiers, or financial information” and would contact any impacted institutions if the situation changed. It is still unknown what was stolen in the second leak.
Students are strongly advised against logging into Canvas until further notice, downloading the file in the ransom message, or accessing any other links associated with the hacker group. In an email addressing the first leak, the UvA urged students to be “extra alert for suspicious emails such as messages that arrive unexpectedly or ask you for personal data” during hacking incidents.
These emails may come from buyers of customer data on the dark web. ShinyHunters itself primarily targets large corporations rather than individuals. They are known for their large-scale hacking operations and “pay-or-leak” policy, where they threaten to leak companies’ user data unless they pay a ransom. If the corporations fail to comply, ShinyHunters is known to sell user records on the dark web for profit.
ShinyHunters built up their portfolio from small-scale data leaks targeting services with fewer than 10 million users in 2020, to hacking mega-organisations such as Google and the European Commission. Earlier this year, the group was also behind an attack on Odido, a Dutch telecommunications provider. This time, Instructure, the corporation behind Canvas, is the focus. Canvas is the most-used LMS (learning management system) software in higher education.
The details of the hack are under investigation by Instructure. The statement by ShinyHunters called on affected institutions seeking to protect their data to reach out to a cyber advisory firm and negotiate a settlement with the group by the end of 12 May. It is unclear whether the UvA will do so.
To report any problems, uncertainties, or suspicious emails, UvA students may consult the UvA ICT Services for more information.
The Herring 