Hackers hijack Amsterdam uni software

The thing that got hacked was not Amsterdam’s universities directly. It was Canvas — the learning platform they rely on for courses, assignments, grades, and messages. That distinction matters, because this looks less like one campus getting broken into and more like a supplier breach rippling across higher education. In early May, Instructure, the US company behind Canvas, said it was dealing with a cybersecurity incident, and Dutch outlets then linked the fallout to universities including the University of Amsterdam and VU Amsterdam. (status.instructure.com) ### What actually got hit? Canvas is the digital classroom for a huge chunk of university life. Teachers post materials there, students submit work there, and people message each other inside it. UvA and VU both use Canvas as a core teaching tool, so when something goes wrong at the vendor level, it is immediately relevant even if the universities’ own internal networks were never “hijacked” in the usual sense. (uva.nl) ### What did Instructure say? Instructure disclosed a cybersecurity incident on May 1, 2026. By May 2, it said the incident appeared contained and that it had revoked privileged credentials and access tokens, patched systems, rotated some keys, and increased monitoring. It also said the exposed information appeared to include n(uva.nl)vidence that passwords, dates of birth, government IDs, or financial information were involved. (status.instructure.com) ### Where do Amsterdam universities come in? Dutch reporting says a victim list reviewed by local media included 44 Dutch schools and universities, among them the University of Amsterdam and Vrije Universiteit Amsterdam. But that does not automatically mean every listed institution had confirmed data stolen from its own users. It means the institutions were potentially in scope because they use Canvas. (nltimes.nl) ### What has UvA said? UvA has been unusually clear about the uncertainty. Its student update said a security incident at the Canvas developer was reported on May 4, that it was still investigating which systems were affected, and that it was not yet clear whether UvA data was involved. UvA also warned stu(nltimes.nl)gency maintenance by Instructure. (my.uva.nl) ### Was this a campus outage too? Partly, yes — but the disruptions seem tied to vendor-side emergency work, not a separate Amsterdam-only shutdown. Instructure’s status page showed maintenance and service problems around Canvas Data 2, Beta, Test, API-key related tools, and some access errors in the same window. So the “software hijack” framin(my.uva.nl)ystems directly. The cleaner read is that a supplier breach caused both data-risk questions and some service instability. (status.instructure.com) ### Who is claiming responsibility? Dutch coverage names ShinyHunters, a group already tied to other big data theft cases. Reports say the group claimed to hold data from 275 million users worldwide and set a ransom deadline for Instructure or affected schools. That claim is central to the story, but it is still a claim from the attackers layered on top of Instructure’s own narrower public description. (nltimes.nl) ### So what should readers take from this? The big point is supply-chain risk. Universities can do a lot right and still get dragged into a breach through software they depend on every day. For Amsterdam students and staff, the immediate concern is not confirmed account takeover. It is exposure of routine academic data and a higher chance of phishing using real names, emails, and course context. (status.instructure.com) ### Bottom line This was a Canvas incident first, and an Amsterdam university story second. But because Canvas is woven into daily teaching, even a partly unresolved vendor breach becomes a real campus problem fast. (status.instructure.com)