My last day at Edinburgh was the 29th of April 2026. My contract officially ended on the 15th of May so after I had a lovely send off, I then was set to have a few weeks holiday and to completely relax. The week after (and Myles, new Head of Digital Learning Applications and Media, I feel terrible about this) whilst I was having a jolly lovely time gardening and enjoying the sunshine, LinkedIn erupted with the news of the Canvas hack. At Edinburgh, our main VLE is Blackboard Learn and not Canvas so from that perspective I knew that revision for the exam diet wouldn’t be disrupted but Canvas is in use for short courses so the hack would still have some impact.
So what happened?
From what I’ve read, it seems like the initial hack/data breach happened possibly in April at some point and Instructure (the supplier of Canvas) became aware of the breach around the 29th of April, although nothing was reported to the institutions affected or the public at first. The hackers (ShinyHunters) then published a list (on the dark web) of nearly 9000 institutions which has been affected. Data stolen is believed to be usernames, email addresses, course names, enrolments and private messages from within Canvas. It appears the hackers gained access through some vulnerability exploited via a ‘Free-For-Teacher’ account.
On the 7th of May, later in the evening, I got a panicked phonecall from my cousin who is a student at Hull University, panicking because she was trying to submit her dissertation but ‘Canvas had been hacked’. I assumed she had misunderstood the situation from the earlier data breach/hacking incident until she read me out a message that was appearing in Canvas when she logged in.
‘ShinyHunters has breach Instructure (again). Instead of contacting us to resolve it they ignored us and did some “security patches”.
Canvas was placed into maintenance mode a few minutes later and remained offline for around 3.5 hours. Instructure have provided a useful short summary of the security events which summarises what happened and when.
Instructure ‘reached an agreement’ with the hackers – an undisclosed sum was paid and the hackers agreed to return the data to Instructure, destroy the data and agreed that no Instructure customers will be extorted as a result of the security incident.
ShinyHunters have taken responsibility for a number of high profile hacks such as AT&T, SalesForce, Google, Qantas and many others. They seem to use a variety of mechanisms for breaking into systems:
‘ What is most striking is how they did it. There were no exotic, impossible-to-understand exploits. In many of these attacks, no one “broke in” at all.
Someone approved an app they shouldn’t have, a token that should have expired didn’t, a third-party vendor with too much access became the entry point for hundreds of downstream victims…In some cases, an employee simply answered the phone.’
Who Is ShinyHunters? | Tactics, Top Attacks & How to Protect Your Organization
My reflections
Honestly, I just feel sorry for Instructure. They are not the first supplier this has happened to, nor will they be the last. With the boom in AI, it’s going to get harder and harder to secure our systems and even the types of attacks I thought ‘couldn’t happen to me’ like social engineering (surely I wouldn’t be fooled by phishing or other social engineering?) are going to get more and more sophisticated (bad actors are getting bolder with their strategies and fake AI voice/video is probably good enough to digitally clone trusted people). AI can run quickly over infrastructure to find weaknesses it would take humans a much longer time to find.
I don’t know what the solution is here – I think it’s a difficult problem to solve. I’ve seen a lot of blog posts and articles saying that maybe education relies too much on SaaS VLEs with some people even suggesting we should get rid of EdTech or move to open source systems (which themselves have their own risks). I don’t agree with either of these – if we get rid of EdTech should we get rid of email systems and payroll systems too? We rely on them entirely too but they are usually also SaaS platforms. And open source is not safe from hackers either, and in-fact may be more vulnerable due to the difficulty of getting developers and technical staff to keep installations secure. In my time as Head of DLAM, we had great difficulty in recruiting developers in my team – it sometimes required multiple rounds of advertising and we were often unsuccessful, because the salaries we could pay were not competitive compared to other roles, like in finance (the conversation I had with an applicant for a grade 7 role about their salary expectation at over £90K per year, plus £5K for kit was a bit of a shock to me).
I don’t know what the solution is but I don’t think knee-jerk reactions will help. I suspect we should be looking at whether AI can help us secure our systems with AI assistance on testing on monitoring. But it’s going to be an arms race, as it always has been but just happening a lot more quickly in the future.