2 hours Ago
Second Breach, New Deadline
ShinyHunters made their return impossible to ignore. The group posted a message directly within the Canvas app, calling out Instructure — the company behind Canvas — for failing to engage with them after the first attack. According to the hackers, rather than opening negotiations, the company simply rolled out a few security patches and moved on. That response, apparently, was not enough.
The group has now given affected educational institutions until May 12 to make contact and enter negotiations. If that deadline passes without a response, ShinyHunters says it will go ahead and publish the stolen data. A previous deadline had already expired the day before this second intrusion came to light, which shows the group is serious about following through.
The scale of what was stolen is deeply concerning. When ShinyHunters first announced the breach on Monday, they claimed to have taken data belonging to millions of students, lecturers, and other university staff from higher education institutions around the world. Canvas is the platform students use daily — to submit assignments, check grades, and stay connected with their courses — making the stolen data particularly sensitive.
Dutch Universities Among Those Affected
VU Amsterdam moved quickly after the second breach became known, announcing it had disconnected all systems tied to Canvas. The university acknowledged that the decision could affect lectures and class attendance as early as Friday, but clearly felt the risk of staying connected was too great.
VU Amsterdam is not alone. Universities of the Netherlands, the national umbrella body for higher education, confirmed that several major Dutch institutions were caught up in the original breach. The list includes the University of Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology, Maastricht University, and the University of Twente — seven institutions in total, representing a significant portion of the Dutch higher education system.
What happens next depends largely on how Instructure and the affected universities choose to respond before the May 12 cutoff. For now, students and staff at these institutions are left waiting, uncertain about both the safety of their personal data and the disruption this could cause to their academic lives in the days ahead.
