If your school, TAFE, or university uses Canvas, there’s a good chance your data has been compromised. The Queensland government confirmed on 6 May 2026 that tens of thousands of students and staff are affected, and the breach extends far beyond Queensland — touching more than 9,000 institutions across the globe.
Here’s what happened, what was taken, and what you should do now.
What Happened
Instructure, the US company behind Canvas — one of the world’s most widely used learning management systems — confirmed it was attacked by ShinyHunters, a criminal extortion group known for high-profile data theft. The attack was first detected on 30 April 2026 when Canvas tools began experiencing disruption. By 1 May, Instructure confirmed a criminal breach was underway and brought in outside forensics experts.
ShinyHunters is now threatening to publicly release the stolen data unless Instructure pays an undisclosed ransom. The group claims to have stolen 3.65 terabytes of data — including billions of private messages sent between students and teachers on the platform.
What Data Was Taken
Instructure has confirmed the following information was accessed:
- Names
- Email addresses
- Student ID numbers
- Private messages sent through Canvas
The good news: Instructure says there is no evidence that passwords, dates of birth, financial information, or government identifiers were compromised. Stolen data has not yet been made public.
Who Is Affected in Australia?
Queensland’s state school network uses Canvas through its QLearn platform, and the state government has confirmed students and staff who used the system since 2020 are likely affected. Priority support is being offered to families known to child safety authorities or those with a history of domestic violence — a recognition that even names and email addresses can put vulnerable people at risk.
Beyond Queensland, universities and TAFEs across Australia and New Zealand are assessing their exposure. Victoria University of Wellington, Auckland University of Technology, and the University of Auckland have all confirmed they are investigating potential impacts on their students and staff.
What Should Schools and Institutions Do Right Now?
- Wait for official notification. Instructure is contacting affected institutions directly. Queensland school principals are in the process of notifying families. Check communications from your institution before acting.
- Be alert to phishing. The most immediate risk from this type of breach is targeted phishing — emails that appear to come from Canvas, your school, or Instructure asking you to verify details or click a link. Do not click links in unsolicited emails. Go directly to official websites instead.
- Change your Canvas password as a precaution. Even though passwords are not believed to have been stolen, it’s good practice — especially if you reuse the same password across multiple accounts.
- Notify your IT and privacy teams. If your institution uses Canvas, your data protection officer or privacy team needs to assess whether a notification obligation has been triggered under your state’s privacy legislation or the federal Notifiable Data Breaches scheme.
- Document everything. Keep records of when you were notified, what actions you took, and any communications with Instructure. This will be important if a regulatory review follows.
The Bigger Picture
This is not an isolated incident. The education sector has become one of the most targeted industries for cybercriminals, precisely because of the vast amounts of personal data held on large shared platforms. Canvas’s predecessor in the headlines was PowerSchool, which suffered a breach in 2024 affecting an estimated 62 million students globally. The pattern is clear: attackers are no longer going school by school — they’re hitting the vendors that serve thousands of schools at once.
For school leaders and IT teams, this breach is a prompt to review vendor contracts, understand what data third-party platforms hold on your students and staff, and confirm that your institution has a tested incident response plan in place before the next breach — not after.