Multiple Flemish higher education institutions, including the Vrije Universiteit Brussel (VUB), Thomas More, Artevelde, Karel de Grote, CVO Ghent, and Erasmus University College, have confirmed that data belonging to thousands of students and staff was potentially exfiltrated in a cyberattack targeting the Canvas learning management platform. According to reporting from De Telegraaf, the threat actor group ShinyHunters, which claims responsibility for stealing data from over 275 million users globally, is behind the intrusion. The same campaign has affected 44 educational institutions in the Netherlands.

What Happened

This week, attackers compromised data flowing through Canvas, the learning management system developed by Instructure and used widely across Flemish universities of applied sciences and the VUB. Affected institutions began notifying students and staff via email after confirming that personal records had been accessed. Artevelde University College in Ghent issued direct warnings to its community, while VUB stated that only academic data was taken and confirmed Canvas can once again be used safely. The investigation remains active, and the total number of impacted individuals across Belgium has not yet been determined.

What Was Taken

According to Artevelde University College, the stolen records include full names, work and private email addresses, and registration numbers for both students and staff. Internal Canvas messages exchanged between users are also believed to be among the exfiltrated data. There is currently no evidence that passwords were compromised. The VUB maintains that the breach affecting its users is limited to academic data, with no private information lost. The aggregate ShinyHunters dataset linked to this campaign is reported to contain information on more than 275 million users worldwide.

Why It Matters

Education sector breaches are particularly damaging because student and staff identifiers are long-lived, frequently reused across systems, and tied to high-trust institutional contexts. The combination of names, registration numbers, and dual email addresses gives adversaries a strong foundation for highly targeted phishing, business email compromise, and account takeover campaigns. Stolen Canvas message threads add a layer of social engineering credibility, allowing attackers to reference real conversations, course details, and faculty relationships. Given ShinyHunters' history of monetizing stolen datasets through underground markets, the leaked Belgian data is likely to surface in fraud and credential stuffing campaigns in the coming weeks.

The Attack Technique

The exact intrusion vector has not been disclosed by Instructure or the affected institutions. The breach is consistent with ShinyHunters' established playbook, which has historically relied on compromised third-party SaaS integrations, stolen OAuth tokens, and credential abuse against cloud platforms to siphon large volumes of customer data. The cross-institutional impact across Belgium and the Netherlands suggests an upstream compromise within the Canvas ecosystem or a connected service provider, rather than isolated attacks against individual university tenants. Affected schools say they are coordinating directly with Instructure as the investigation continues.

What Organizations Should Do

1. Issue immediate phishing awareness alerts to students and staff, specifically warning of fraudulent emails referencing Canvas, course enrollment, or registration numbers.
2. Force a credential reset for any account where Canvas SSO credentials may overlap with other institutional systems, and enforce phishing-resistant multi-factor authentication.
3. Audit OAuth tokens, API keys, and third-party app integrations connected to Canvas tenants and revoke any that are unused or unnecessary.
4. Increase monitoring for unusual logins, mailbox rule changes, and outbound email anomalies tied to recently exposed accounts.
5. Coordinate with Instructure to obtain incident artifacts and indicators of compromise, and share findings with national CSIRTs such as CCB Belgium.
6. Prepare GDPR breach notifications and document the chain of custody for affected data subjects, given the regulated nature of education records.

Sources: Data of thousands of students and lecturers in Flanders potentially stolen | VRT NWS: news