A cybersecurity breach at US-based learning platform Instructure has compromised personal data across Australian and New Zealand education institutions.

The incident affects users of Canvas, the cloud-hosted learning management system used by an estimated 9,000 schools and universities globally.

Instructure detected the attack on 30 April 2026 and publicly disclosed the incident the following day.

Chief Information Security Officer Steve Proud confirmed the company had engaged outside forensics experts to investigate.

Compromised data may include names, email addresses, student ID numbers and messages exchanged inside Canvas.

Instructure says it has found no evidence that passwords, dates of birth, government identifiers or financial information were involved.

The Queensland Department of Education has confirmed the breach affected its QLearn online learning platform.

Education Minister John-Paul Langbroek said students and staff at Education Queensland schools since 2020 had been impacted.

Langbroek said names, email addresses and school locations had been compromised in the international breach.

He said the Department was prioritising support for families known to Child Safety or experiencing family and domestic violence.

Cyber extortion group ShinyHunters has claimed responsibility for the attack via its darknet leak site.

The group claims it accessed data on more than 275 million students and staff, including billions of private messages.

ShinyHunters also claims to have breached Instructure's Salesforce instance. These figures have not been independently verified by Instructure.

The group has demanded payment, threatening to release stolen data publicly. Instructure has not commented on ransom demands.

Multiple Australian universities have launched investigations into the breach.

The University of Technology Sydney, the University of Sydney and the University of Melbourne are all assessing the impact.

In New Zealand, the University of Auckland, Auckland University of Technology and Victoria University of Wellington have all confirmed Canvas-linked systems were impacted.

RMIT University and Flinders University are also investigating, while TasTAFE has confirmed its data was accessed.

A UTS spokesperson said the university was working with Instructure to confirm whether UTS data had been compromised.

Canvas remained operational at UTS at time of writing.

RMIT said it had been notified of a cyber incident impacting Canvas. Flinders said student and staff data may have been affected.

TasTAFE was notified that a criminal third party accessed its data, with personal information including Canvas messages potentially involved.

The College of Law has also written to students confirming the incident affected its Canvas-based teaching platform.

The University of Auckland said its cybersecurity team was working with Instructure to determine the scope of the breach.

The university warned staff and students that phishing was the most likely consequence of any data exposure.

Victoria University of Wellington said Nuku, its Canvas-linked learning system, was among those flagged as affected.

The university said its internal infrastructure remained operational.

Instructure has revoked privileged credentials and access tokens linked to affected systems.

The company has deployed patches and rotated certain application keys as a precaution.

Reissued application keys carry a timestamp in the name and will be visible to users during reauthorisation.

Instructure says these are valid keys and users should continue the authorisation process.

Affected institutions are urging users to remain alert for phishing emails purporting to come from Canvas, Instructure or their education provider.

Users have been advised not to click links in unsolicited emails and to access learning portals directly.

Cyber security specialists note attacks on third-party education vendors have escalated in recent years.

The Canvas breach follows the 2024 PowerSchool incident, which compromised an estimated 62 million student records.

Australian institutions covered by the Notifiable Data Breaches scheme are reviewing whether disclosure obligations have been triggered.