Students on the first day of the academic year at the University of Amsterdam’s Science Park campus, 4 September 2023- Credit: NL Times / NL Times - License: All Rights Reserved

Canvas hack: Student data from 44 Dutch universities and schools taken in massive breach

A large-scale cyberattack on the Canvas education platform has exposed data from dozens of Dutch educational institutions, RTL reports. The Dutch impact affects 44 universities, applied sciences universities, and secondary schools across the country, according to a list of victims shared on the dark web by the hacking group ShinyHunters, which was reviewed by BNR.

The hacker collective taking credit for the attack, which was previously linked to hacks at Odido and Pornhub, claims they accessed a database belonging to Canvas developer Instructure. The breach affects more than 275 million individuals across roughly 9,000 educational institutions worldwide, spanning students, educators, and staff.

In the Netherlands, the institutions include the University of Amsterdam and Vrije Universiteit, both in the capital, as well as Windesheim University of Applied Sciences, and The Hague University of Applied Sciences. Also listed are Deltion College in Zwolle and the Grafisch Lyceum in Haarlem. The stolen data includes names, email addresses, student numbers, and messages exchanged between users, according to BNR.

The hackers have set a deadline of May 7, demanding payment from affected organizations. According to the message shared by ShinyHunters, institutions may negotiate individually.

“If schools in the list are interested in preventing the release of their data, contact us privately to reach an agreement,” the group said. Reporting indicates that Instructure, Canvas’s parent company, has not agreed to the hackers’ demands.

ShinyHunters was also tied to attacks on telecom company Odido in 2026, Ticketmaster in 2024, and adult platform Pornhub in 2025, incidents in which data from about 1.5 million Dutch accounts was reportedly taken.

The collective, described by sources familiar with the group as a relatively small operation with only a handful of core members based in Canada and France, is known for targeting companies that provide services to multiple organizations, allowing them to access large numbers of systems through a single breach.