Canvas carks it: Instructure data breach leaves students in the dust

NEWS | ISSUE SIX | MAHI Ā-RINGA / CRAFT

Written by Liam Hansen (they/them) | @liamhanse.n | Associate Editor

Students and faculty across AUT, UoA, and VUW were locked out of Canvas over the weekend, as parent company Instructure was hit by a data breach, leaving troves of personal information at risk. 

The trials began at the start of the month, when 3.65 terabytes of information, including students' names, email addresses, private messages, and ID cards, were seized in a major international cybersecurity incident. The perpetrators claim over 275 million students from 8,809 institutions have been affected, though Instructure clarified that no financial or sensitive personal information was acquired. 

This initial breach took place on Wednesday 6 May, leaving the servers online so staff and students could access the platform during their final assessments. It was business as usual up until Friday, our time, when students logged in and finally heard from the hackers themselves and realised they were all probably around the same age. 

‘S H I N Y H U N T E R S - rooting your system since ‘19 ;)’ was plastered across the screen, taking the piss out of the institutions reliant on Canvas while students were unsure whether they were supposed to be rooting for the hackers or their own universities. The message goes on: ‘ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some “security patches”. After a ‘⚠︎ W A R N I N G’, ShinyHunters goes on to ask affected schools to negotiate directly to reach a settlement. ‘You have until the end of the day by 12 May 2026 before everything is leaked. Instructure still has until EOD 12 May 2026 to contact us.’ 

Instructure later took Canvas offline completely, linking the breach to their Free-for-Teacher accounts, which were disabled as a precaution. In a message to staff, AUT instructed teachers to log out of their accounts until the issue was resolved. Thousands of students temporarily lost access to coursework, materials, lectures, and readings, with many unable to submit assignments and students affected across the world, who were often actively sitting their finals when the outage hit. 

Each institution individually worked through their systems to get Canvas up and running again by Saturday, with UoA servers returning by 7:45PM and AUT up and running by 5PM Sunday. 

Given the disruption to classes and inconvenienced students, AUT assessments due between Friday 8 May and Friday 15 May inclusive have received an automatic seven-day extension. Tests and quizzes have also been postponed by at least a week. 

In the points listed at aut.ac.nz/student-life/studying/canvas-outage-faq, AUT states that despite ShinyHunters claiming access to the aforementioned data, none of their internal servers had been breached. The ICT team also warns students to keep an eye out for unofficial emails, reminding them of the primary aut.ac.nz, instructure.com, or canvas.aut.ac.nz addresses officially used by the university. We’ll also chuck autsa.org.nz in there as the official site for Debate and AUTSA comms - if you receive messages from accounts seeming to impersonate AUT personnel or sending spam messages, please forward them to spam@aut.ac.nz.