If you study, teach, or work at an Australian university, there's something you need to know — and you need to know it before tomorrow.
The hacking group ShinyHunters has given Instructure, the company behind Canvas LMS, a final ransom deadline of 12 May 2026 — tomorrow. If that deadline passes without payment, the group has threatened to release the full dataset publicly.
That dataset is enormous. ShinyHunters claims to have exfiltrated 3.65 terabytes of data — roughly 275 million records — affecting nearly 9,000 educational institutions worldwide. Australia is firmly in the impact zone, with the Queensland Minister of Education stating the attack affected the data of up to 200 million people.
Here's what happened, who's affected, and — most importantly — what you can do right now.
What happened with Canvas LMS?
Canvas LMS is the world's most widely deployed learning management system, built and operated by US-based Instructure. It's used by 41% of higher education institutions in North America and by hundreds of thousands of students and staff across Australia.
Between 30 April and 7 May 2026, ShinyHunters exploited a vulnerability in Instructure's "Free-For-Teacher" (FFT) account program. The FFT system allowed educators to create Canvas tenants without institutional verification — and because all tenants shared the same underlying infrastructure, weaker trust boundaries on FFT accounts gave the attackers a path into production data.
Instructure detected the unauthorised activity on 29 April, confirmed the breach publicly on 1 May, and took Canvas offline on 7 May while it permanently shut down the FFT program and rotated credentials. Canvas was restored the following day.
But the data is already gone.
ShinyHunters initially gave Instructure a deadline of 6 May to pay. When that passed without payment, the group extended the deadline to 12 May 2026 — and escalated by defacing Canvas login pages, attempting to extort individual schools directly.
This is the second time ShinyHunters has breached Instructure in eight months. A September 2025 incident targeted Instructure's Salesforce systems through social engineering. In that case, Instructure stated no Canvas product data was accessed. This time, that's not true.
Which Australian universities are affected?
The following Australian institutions have been publicly named as impacted, with several offering assignment extensions and others temporarily disabling Canvas access as a precaution:
- University of Melbourne
- RMIT University
- University of Technology Sydney (UTS) — Canvas access temporarily disabled
- Griffith University
- Adelaide University — Canvas access temporarily disabled
- University of Canberra
- Queensland Department of Education — Canvas access temporarily disabled (K-12 impact)
Queensland Minister of Education John-Paul Langbroek stated the breach affected the data of 200 million people. The Queensland Teachers' Union has called for a formal investigation.
If your institution uses Canvas and hasn't yet issued a statement, it's reasonable to assume your data may be involved.
What data may have been exposed?
Instructure has confirmed the following data was accessed and exfiltrated:
- Full names
- Email addresses
- Student ID numbers
- Private messages exchanged between students and teachers (some)
Independent review by TechCrunch of sample data provided by ShinyHunters found that phone numbers were also present in some records.
What was NOT confirmed exposed:
Instructure has stated there is no evidence that account passwords, dates of birth, government identifiers (like driver's licence numbers or Medicare cards), or financial information were stolen.
That's the good news.
The bad news is that the data that was taken — names, emails, student IDs, phone numbers, and private messages — is gold for one specific kind of attack: targeted phishing and social engineering. Attackers now have enough context about you to craft messages that look completely legitimate.
How do cybercriminals use breached data?
This is where a lot of breach coverage falls short. Knowing your data was stolen is only half the picture. Understanding how it gets used helps you take the right protective steps.
Here's the typical lifecycle after a breach like this:
1. Data is sorted and packaged Stolen records are organised by value. Email and password combinations — especially those that match credentials used on banking, Gmail, or social media — are the most valuable and are separated first.
2. High-value records are sold privately Before anything appears on public dark web markets, the most sensitive records are often sold in private transactions to identity theft rings or other criminal groups.
3. Data appears on dark web marketplaces Within days to weeks, bulk data listings appear on underground forums and dark web markets. This is where SelfCybr's intelligence capability operates — we monitor these spaces continuously so you don't have to.
4. Credential stuffing attacks begin Automated tools try your stolen username and password combination across hundreds of websites — banking, email, Netflix, PayPal, shopping accounts. If you've reused passwords, this is where the real damage starts.
5. Targeted phishing campaigns launch With your name, email, institution, and sometimes even course details, attackers can craft convincing phishing emails that appear to come from your university, the ATO, or your bank.
6. Victims notice something is wrong — often months later By the time most people realise their data has been misused, significant damage has already been done.
The window between steps 3 and 6 is where proactive intelligence makes the difference.
What should you do right now?
Whether you're a student, academic, or university IT administrator, here are the immediate steps to take:
Change your Canvas password immediately — and if you've used that password anywhere else, change it there too.
Enable multi-factor authentication on all accounts that support it, especially email, banking, and social media.
Watch for phishing emails that appear to come from your university, Instructure, or government agencies referencing the breach.
Don't click links in unsolicited emails about the breach — even if they look official. Go directly to your institution's website for updates.
Check if your data is already circulating — this is where most people stop short, because they don't know how. We've built a way to help.
See what attackers already know about you — free
At SelfCybr, we specialise in dark web intelligence and open-source intelligence (OSINT) — the kind of deep monitoring that goes far beyond standard breach checkers.
In response to the Canvas LMS breach, we're offering a free Dark Web and OSINT Intelligence Report for anyone who may have been affected.
Here's what your free report covers:
✅ Whether your email address appears in known dark web data dumps related to this breach
✅ Any other known breach exposures linked to your email
✅ Publicly accessible personal information that attackers could use against you (OSINT)
✅ A plain-language summary of your current exposure level
✅ Recommended next steps tailored to what we find
Your report is compiled by our intelligence team and delivered to your inbox. There's no automated guess-work — this is real intelligence, presented in a way that actually makes sense.
How to get your free report
Getting your report takes less than two minutes.
Fill in the form below with your name, email address, and phone number. We'll use your email address as the basis for your intelligence search, and we'll contact you by phone or email if we need any additional information to complete your report.
Your report will be delivered to your inbox within a business day.
What happens after the free report?
Once you've received your report, you'll have a clear picture of your current exposure. For many people, that's enough to take targeted action and secure their accounts.
If your report shows active exposure — or if you'd simply like ongoing protection — we offer SelfCybr Proactive Monitoring: continuous dark web surveillance that alerts you in real time whenever your information surfaces in underground forums, new breach data, or OSINT sources.
For anyone affected by the Canvas LMS breach, we're offering 20% off Proactive Monitoring with code CANVAS20.
A note for university IT and security teams
If you're responsible for your institution's cybersecurity posture, the Canvas breach presents a specific challenge: you may not know which staff and student records were accessed, or what's already circulating.
SelfCybr works with organisations to conduct bulk domain monitoring — identifying exposure across your entire user base, not just individual accounts. If you'd like to discuss an institutional response, give us a call.
