Canvas Cyberattack Hits U of T, UBC, U of A and Other Canadian Universities: A Practical Guide for Students on Protecting Your Identity After the ShinyHunters Breach
A global cyberattack on the Canvas learning platform has exposed names, email addresses, student ID numbers, and private messages of users at several major Canadian universities. Here is our expert guide on what to check this week, how to lock down your accounts, and what to expect from your school in the days ahead.
By Refdesk Team

What This Means for You
If you are a current or former student, instructor, or staff member at the University of Toronto, the University of British Columbia, the University of Alberta, Simon Fraser University, OCAD University, Ontario Tech University, Western University's Ivey Business School, or any of the other roughly 9,000 institutions that use Canvas, your name, school email address, student ID number, and the content of messages you exchanged inside Canvas may have been copied by a criminal group. According to Instructure — Canvas's U.S.-based parent company, quoted by CBC News — passwords, dates of birth, government IDs, and financial information were not involved. That is genuinely good news. But the data that was taken is exactly the kind of information identity thieves use to send convincing phishing emails, open fraudulent accounts, and chain together with other leaked data to impersonate you.
Here is what we recommend you actually do this week, in priority order. Most of it takes less than 20 minutes and costs nothing.
If You Are a Current Student at an Affected Canadian University
Within the next 24 hours:
- Do not log back into Canvas until your university's IT security team gives the all-clear. UBC, U of T, U of A, and others have been posting updates on their official IT-security pages and student portals. According to The Globe and Mail, UBC told community members "not to attempt to log into Canvas until further notice." Bookmark your school's IT-security page rather than searching — phishing sites posing as login pages are predictable in any breach this large.
- Change your university account password — not just your Canvas password. In most Canadian universities, Canvas uses your central student account (UTORid, CWL, CCID, etc.) for single sign-on. The password itself was not in the leaked data, according to Instructure, but rotating it is cheap insurance. Use a passphrase of four random words plus a number — much stronger and easier to remember than "P@ssw0rd!" patterns.
- Turn on multi-factor authentication (MFA) for your university account today if you haven't already. Most Canadian universities (UBC's CWL, U of T's UTORMFA, U of A's Duo, SFU's MFA) already require MFA for staff and graduate students; some still make it optional for undergrads. Enable it. With MFA on, even a leaked password becomes far harder to use.
- Open your university email and search the inbox for "Canvas," "Instructure," and your school's IT-security domain. Read the official notice end-to-end. Save it as a PDF for your records — if you need to dispute a fraudulent account opened later in your name, having dated proof you were notified is useful.
This week:
- Set up a free credit-monitoring alert. Both Equifax Canada (equifax.ca) and TransUnion Canada (transunion.ca) offer free credit-score and basic monitoring tiers. Even the free tiers will email you if a new account or hard inquiry shows up under your SIN. Identity criminals often wait six to 12 months after a breach to combine data sets, so set this up now and leave it running.
- Add a free fraud alert/warning to your credit file. This is different from a credit freeze — it tells lenders to take extra steps to verify your identity for the next six years (Equifax) or six years (TransUnion). It is free in both bureaus and adds friction without locking you out of new credit yourself. Forms: Equifax Fraud Warning Form and TransUnion Consumer Statement.
- Update your university email's recovery options. If your school account uses a personal Gmail or Outlook as a recovery, make sure that account has its own MFA on, with backup codes printed and stored offline. A leaked school email becomes a target for "password reset" social-engineering attempts.
- Treat any email referencing your student ID number as suspicious by default for the next 90 days. Until now, your student ID + name + school email was largely private outside the institution. After this breach, attackers can craft messages like "Dear [your name], we've detected an issue with your student account [your ID]. Please verify at the link below." Hover over links, never click straight from email, and go to the school portal yourself by typing the URL.
Example scenario: A second-year U of T undergrad named Priya, who used Canvas to message her TA about an extension last term, has had her UTmail address, UTORid, and the body of those messages potentially copied. Three weeks from now, she gets an email purporting to be from "U of T Registrar" using her real student number, mentioning the same course code she discussed with her TA, and asking her to "reverify" her account. Without context, it looks legitimate. Knowing that her Canvas messages were exposed makes the trick obvious. The defence is awareness, not technology.
If You Are a Graduate Student, TA, or Researcher
You face the same risks as undergraduates plus two additional ones.
- Research correspondence in Canvas may include early drafts, unpublished data, or peer-review comments. If you discussed unpublished research, theses, or grant work through Canvas messages, alert your supervisor and your institution's research-integrity office. They may want to assess whether the breach affects intellectual-property obligations or grant terms (Tri-Agency, Genome Canada, NSERC, CIHR).
- You may have administrative access to courses. TAs and instructors who used Canvas's gradebook, group messaging, or LTI integrations should ask their faculty IT contact whether instructor accounts had a different exposure. According to CBC News, the breach reportedly began through "a particular type of teacher account."
If You Are a Parent of a Student or Recent Graduate
Your son or daughter may not be reading their school email actively, especially if they graduated last year and the file is still active. Send them this article and these three tasks: change school password, turn on MFA, set up free Equifax monitoring. If they applied for OSAP or a student credit card linked to their school email, those institutions may also send breach-related notices — make sure they actually open them.
If You Are an Employer, Landlord, or Lender Who Verifies Students
Be aware that a fraudster in possession of a real student name, ID, and school email could now plausibly answer routine identity-verification questions. Until further notice, treat student ID numbers and school emails as breached rather than trusted attributes. Verify with a separate channel — a phone call to the school's enrolment-services line or a request for a Verification of Enrolment letter from the registrar — before extending credit, leases, or job offers contingent on student status.
For All Canadians
Even if you have never used Canvas, this breach is a useful prompt:
- Audit which old accounts still tie to a student email you no longer use. Many of us signed up for streaming services, software subscriptions, or banking products with a school email a decade ago and never updated them.
- Check haveibeenpwned.com. Enter your email address. The site is run by Australian security researcher Troy Hunt and is free. It will tell you which historical breaches your email appears in. The Canvas data has not been published as of this writing, but if and when it is dumped or sold publicly, this is one of the first places you'll see it indexed.
- If you are over 60 or have an aging parent connected to a Canadian university (alumni mailing lists, continuing-education accounts), help them with the steps above. The Canadian Anti-Fraud Centre reported $638 million in fraud losses in 2024, with seniors disproportionately targeted by identity-based scams. Spend half an hour walking them through MFA setup.
The News: What Happened
According to CBC News, Instructure — the U.S.-based company that operates the Canvas learning-management platform used by roughly 9,000 institutions worldwide — first detected unauthorized activity on April 29, 2026, accessed through a compromised teacher-type account. The Globe and Mail reports that ShinyHunters, the criminal group also linked to past breaches at Ticketmaster and a Salesforce database, posted a ransom demand directly inside the Canvas interface earlier this past week and gave affected institutions until May 12, 2026, to pay before threatening to release the stolen data.
Confirmed Canadian universities affected, according to The Globe and Mail and CBC News, include the University of Toronto, the University of British Columbia, the University of Alberta, Simon Fraser University, OCAD University, Ontario Tech University, and Western University's Ivey Business School. CBC News reports that UBC instructed community members "not to attempt to log into Canvas until further notice."
According to Instructure's chief information security officer Steve Proud, quoted by Global News, the data that "may have been impacted" includes user names, email addresses, student ID numbers, and the contents of messages exchanged through the platform. Instructure has stated, according to The Globe and Mail, that it has "found no evidence that passwords, dates of birth, government identifiers, or financial information were involved."
ShinyHunters has separately claimed, in posts cited by CTV News and Global News, that the broader Canvas dataset contains identifying information of approximately 275 million students, teachers, and school staff worldwide. That figure has not been independently verified.
Analysis: Why This Matters
Based on our analysis of the public statements from Instructure, the universities, and ShinyHunters, three things stand out as genuinely important for Canadian students — and three things tend to be over-stated in the early coverage.
What is genuinely important:
First, the breach is large, but the type of data is, on balance, lower-risk than the worst-case scenario. Names, school emails, and student IDs are not financial credentials; they are useful primarily as raw material for targeted phishing rather than direct fraud. A leaked password or SIN would be far worse. That should not lull anyone into complacency, but it does mean Canadian students do not need to rush to change every password and freeze every account in panic.
Second, the messages component is unusual. Most data breaches expose form-field information — emails, IDs, addresses. A breach that exposes message content, even if much of it is mundane "what's the deadline?" exchanges, does provide attackers with conversational style, course codes, and TA names that make spear-phishing dramatically more convincing. This is the part that students should think hardest about.
Third, this is the second known major incident involving Canvas in the past year, according to Inside Higher Ed. That pattern matters when assessing whether your university's reliance on a single foreign-owned LMS deserves more scrutiny — a question some Canadian post-secondary IT governance committees and student unions will likely raise.
What is being over-stated:
Headlines citing "275 million people affected" come from the attackers themselves and should be treated as a marketing claim until verified by Instructure or independent researchers. The number of Canadian records exposed is almost certainly much smaller, though still substantial.
Historical Context
According to the Canadian Centre for Cyber Security's 2025 National Cyber Threat Assessment, the post-secondary education sector remains a frequent target because universities hold large stores of personal data, run decentralized IT environments, and depend heavily on third-party software-as-a-service tools like Canvas, Brightspace (D2L), and Moodle. The 2023 ransomware incident at Memorial University and the 2024 incident at the University of Winnipeg are recent reminders of the same risk profile.
What Happens Next
Expect the following in the coming weeks: detailed breach-notification letters from each affected Canadian university (required under provincial privacy legislation in B.C., Alberta, Quebec, and the federal Privacy Act for federal institutions); class-action filings — Canadian privacy class actions have followed every major breach of this scale; and a likely Office of the Privacy Commissioner of Canada (OPC) investigation, given the cross-jurisdictional impact. The May 12 ransom deadline will pass, and within 48 hours we will know whether ShinyHunters publishes the data, sells it on a forum, or quietly drops the threat. Plan as though the data will become public.
Your Action Plan
Immediate (This Week):
- Read your university's official Canvas-breach notice (do not click links from email — go to the school portal directly)
- Change your university account password and enable MFA
- Sign up for free Equifax Canada or TransUnion Canada credit monitoring
- Save a dated copy of your school's breach notice as a PDF
Short-term (This Month):
- Add a free fraud alert to your Equifax and TransUnion credit files
- Audit accounts (banking, streaming, e-commerce) that use your school email — switch to a personal email where possible
- Update recovery email addresses on important accounts and add MFA there too
- Search haveibeenpwned.com and any Canvas-data alert if and when added
Long-term (This Year):
- If you graduated, transition critical accounts off your school email before your alumni access expires
- Keep credit monitoring active for at least 18 months
- If you receive a phishing attempt that uses your real student ID, report it to your university IT-security team and to the Canadian Anti-Fraud Centre at antifraudcentre-centreantifraude.ca
Other Perspectives
Instructure (the company):
Instructure's chief information security officer Steve Proud said, according to Global News, that the company "moved swiftly to contain the incident" and reiterated there was "no evidence that passwords, dates of birth, government identifiers, or financial information were involved."
Canadian Universities (UBC, U of T, others):
UBC told its community, according to The Globe and Mail, "not to attempt to log into Canvas until further notice" and recommended enabling multi-factor authentication and using strong passwords. The University of Alberta confirmed to CBC News that it was among the institutions affected.
Cybersecurity Experts:
Cybersecurity analysts quoted by Daily Hive and CBC News have warned that even seemingly low-risk data — names, emails, student IDs — can be combined with information from previous breaches to construct synthetic identities. Information from this Canvas incident "could be combined with data leaked elsewhere to build profiles for creating false identities," CBC News reports.
ShinyHunters (the attackers):
The group claims, in messages quoted by Inside Higher Ed and various student newspapers, that it has stolen records of approximately 275 million individuals across all Canvas-using institutions worldwide. The group has previously been linked to breaches at Ticketmaster and a Salesforce-related incident. Their numbers and motivations should be treated with skepticism; they are extortionists, not whistleblowers.
Affected Students:
Student newspapers at Harvard, Brown, the University of Pennsylvania, and Duke have reported confusion and frustration at the lack of timely communication. Canadian student unions at U of T (UTSU), UBC (AMS), and U of A (UASU) are likely to push for clarity on which records were exposed and whether any institutional accountability mechanisms apply.
Note: Including multiple perspectives doesn't imply all views are equally valid, but ensures readers can make informed judgments.
Corrections Policy
We strive for accuracy. If you find an error in this analysis, please email us at [email protected]. We will promptly investigate and correct any factual inaccuracies.
Updates:
- No corrections to date (as of May 10, 2026)
Sources
- CBC News, "A cyberattack hit universities worldwide, including top Canadian schools. Here's what we know," May 9, 2026 — cbc.ca/news/canada/canvas-cyber-attack-canadian-universities-9.7193648
- The Globe and Mail, "University of Toronto among Canadian schools targeted in widespread cyberattack on Canvas system" — theglobeandmail.com/canada/article-u-of-t-among-canadian-schools-targeted-in-widespread-cyberattack-on/
- CBC News, "UBC, SFU among thousands of universities affected by cyber breach of learning software Canvas" — cbc.ca/news/canada/british-columbia/ubc-sfu-canvas-cyber-breach-9.7191972
- CBC News, "University of Alberta among Canadian universities targeted in cyberattack" — cbc.ca/news/canada/edmonton/university-of-alberta-among-canadian-universities-targeted-in-cyberattack-9.7192427
- CBC News, "U of T, OCAD among Ontario universities impacted by Canvas cyber breach" — cbc.ca/news/canada/toronto/ontario-universities-canvas-breach-9.7192287
- CTV News, "Cybersecurity incident impacted post-secondary students across Canada," May 8, 2026 — ctvnews.ca/sci-tech/article/cybersecurity-incident-impacted-post-secondary-students-across-canada/
- Global News, "Several Canadian universities face security breach, student data leaked" — globalnews.ca/news/11840444/canadian-universities-data-leak/
- Inside Higher Ed, "Hackers Target Canvas — Again," May 7, 2026 — insidehighered.com/news/quick-takes/2026/05/07/hackers-target-canvas-again
- Equifax Canada, Credit Monitoring — equifax.ca/personal/products/credit-score-report/
- TransUnion Canada, Credit Monitoring — transunion.ca/product/credit-monitoring
- Canadian Anti-Fraud Centre — antifraudcentre-centreantifraude.ca