UBC and SFU among thousands of schools affected by Canvas cyber breach

The University of British Columbia and Simon Fraser University say they are among the schools affected by a cyber breach involving Canvas, the widely used online learning platform owned by U.S.-based Instructure. The incident has impacted thousands of educational institutions globally and has raised concerns about the exposure of student and academic information.

UBC said it became aware of the incident earlier this week and later instructed students, faculty and staff not to log into Canvas until further notice. On its IT status page, the university said anyone who logged in after noon Pacific time on Thursday, May 7, should change their CWL password immediately and contact UBC security.

Student information may have been exposed

SFU said the breach may have involved personal information such as student names, email addresses, student ID numbers and messages exchanged among Canvas users. Similar categories of exposed data have also been cited in reporting on the broader incident and in notices issued by other affected universities.

Instructure has said the compromised information appears to include certain identifying data and messages among users, while universities monitoring the incident have said they have not seen evidence so far that passwords, dates of birth, government identifiers or financial information were involved.

Global disruption hit schools during exam season

The breach has affected nearly 9,000 schools and universities worldwide, according to reporting on the incident, and came at a particularly disruptive time as many students were preparing for final exams or finishing assignments. Some institutions temporarily blocked or redirected Canvas access while the company investigated.

Reuters reported that the hacking group ShinyHunters claimed responsibility after Canvas users at some schools were shown a message threatening to leak data unless the company responded by May 12. The Verge also reported that Canvas was restored for most users after Instructure placed systems into maintenance mode and applied security patches, though some services remained limited.

Warnings about phishing and academic material

UBC has advised students, faculty and staff to remain alert for phishing attempts and to follow account security best practices, including using strong passwords and enabling multi-factor authentication where available.

The breach has also raised concerns beyond basic contact information. UBC computer science associate professor Robert Xiao told media that course content, homework, project materials and other academic submissions could be sensitive if accessed by attackers, with possible implications for academic integrity and intellectual property. That means affected users may need to be especially cautious about suspicious emails and unexpected communications in the days ahead.