The Canvas cyberattack hit Oxford, Cambridge and thousands more. The data was students'.

The hacking group ShinyHunters breached Instructure's Canvas platform in the first week of May, affecting 8,809 institutions worldwide. The attack, now considered the largest educational data breach on record, exposed usernames, email addresses, enrolment data and private messages between students and staff.

By Wistl Newsroom · 12 May 2026 · Higher Ed

Instructure, the company behind Canvas, disclosed on 1 May that it had experienced a cybersecurity incident perpetrated by a criminal threat actor. The company said the breach had been contained the following day but acknowledged that usernames, email addresses, course names, enrolment information and messages had been involved. It said that core learning data, including course content, submissions and credentials, had not been compromised. ShinyHunters, the hacking group that claimed responsibility , disputed that account. The group, which had breached Canvas previously, claimed it had access