Several tertiary institutions in Canada, including the University of Toronto, the University of British Columbia and the University of Alberta, are experiencing cyber glitches, following a targeted attack at Canvas and Quercus, two digital learning platforms managed by Instructure.
A Canada-based newspaper, Global News, reported that the University of Toronto on Friday shutdown Quercus, one of the affected digital platforms as a precautionary measure to prevent further attacks.
“Instructure, the third-party provider that provides Quercus, is currently experiencing an ongoing cybersecurity incident. There is currently no evidence to suggest that other University of Toronto systems or assets have been compromised,” the university said.
Similarly, the University of Alberta on Friday warned its students from attempting to log into Canvas, following reports that some users saw unauthorised messages on the site.
Also, the University of British Columbia on Thursday urged students not to log into Canvas and instructed those already signed in to log out immediately and change their passwords.
The school in an Instagram post stated that Canvas, an online classroom platform, was “unavailable due to a cyber breach.”
The Global News also reported that other educational institutions such as Simon Fraser University and OCAD University experienced similar disruptions in their use of the learning platforms.
According to a statement published on its official website, Instructure said it discovered that an unauthorised actor made changes to some pages on the platforms.
The company said the hacker tampered with the Free-For-Teacher accounts, which had since been temporarily shut down until safety could be guaranteed.
“On April 29, 2026, we detected unauthorised activity in Canvas. We immediately revoked the unauthorised party’s access, started an investigation, and engaged outside forensic experts,” the company stated.
“On May 7, 2026, we identified additional unauthorised activity tied to the same incident. The unauthorised actor made changes to the pages that appeared when some students and teachers were logged in through Canvas.
“Out of caution, we temporarily took Canvas offline into maintenance mode to contain the activity, investigate, and apply additional safeguards,” it said.
The company disclosed that personal information including names, email addresses, student ID numbers and messages were breached during the cyber attack.
Instructure stated, “Based on the investigation so far, the data taken in the April 29 incident includes certain personal information of users at affected organizations. That includes names, email addresses, student ID numbers, and messages among Canvas users.”
The company added that it found no evidence that passwords, dates of birth, government identifiers or financial information were involved.”
It noted that it had informed law enforcement agencies, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other international agencies about the incident.
An education news platform, Inside Higher Ed, reported that a hacking group, ShinyHunters, claimed responsibility for the cyber breach in messages sent to Canvas users.
The group threatened to release personal data obtained from the platform unless a deal was reached.
“ShinyHunters have breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some “security patches,” the group stated.
“If any of the schools affected in the list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement.”
“You have till the end of the day by 12 May 2026 before everything is leaked. Instructure still has until EOD 12 May 2026 to contact us,” it said.
