Voor de beste ervaring schakelt u JavaScript in en gebruikt u een moderne browser!
Je gebruikt een niet-ondersteunde browser. Deze site kan er anders uitzien dan je verwacht.

Update on the data breach at the Canvas provider

Canvas has been taken offline

9 mei 2026

Instructure, the provider of the Canvas learning platform, has informed the UvA about a security incident affecting Canvas. In this incident, data belonging to Canvas users were stolen. The incident occurred worldwide and is estimated to affect more than nine thousand educational institutions, including several in the Netherlands. According to Instructure, the data of staff and students at seven Dutch universities were involved in the breach — including the UvA.

Update 9 May, 11.00: Canvas remains offline

Unfortunately, Canvas software provider Instructure is still unable to give us sufficient assurances about the system’s security. Canvas will therefore remain offline for UvA students and staff on Saturday and Sunday.

Work on a solution is ongoing. We do not yet know whether this will be in place by Monday. We must therefore take into account that Canvas may still be unavailable after the weekend. Teaching in the week of 11 May will, in principle, proceed as scheduled, even if Canvas is not yet available. In that case, students and staff will experience limitations. A webpage with advice and practical tips will be provided for lecturers.

Having to switch off Canvas requires a great deal of flexibility from both students and lecturers. We thank everyone for that flexibility—and for your patience and understanding. We will of course do everything we can to return to normal as soon as possible.

We will continue to publish general information here. 

Read the joint statement (in Dutch) by Universities of the Netherlands. 

On Monday 11 May, at around 09:00, we will share the latest information on this page. 

For general questions, please consult our FAQ page

Update 8 May, 17:00:

All universities have disconnected Canvas. The universities are calling on users with an active session to log out of Canvas and not use it until further notice.

Read more at UNL (in Dutch)

Update 8 May, 13:00:

Canvas will remain offline on Friday 8 May. There is still too much uncertainty about the security of the system. A new update will follow on Saturday 9 May at 11:00.

• More information and FAQs can be found on our Q&A page
This email was sent to students

Update, 8 May, 08:05:

Canvas has been taken offline. On Thursday evening, 7 May, the hacker group ShinyHunters posted a message claiming they have regained - or still have - access. As a precaution, Canvas has been taken offline. More information will follow.

Further updates on services.uva.nl

Update, 7 May:

Instructure has now formally notified the universities. The company has also indicated that the hackers no longer have access to the system and that it has implemented additional security measures.

Which data were and were not affected

Based on the information currently available from Instructure, basic details of students and staff at the seven universities were leaked. These include names, email addresses and possibly Canvas IDs or student and staff numbers. According to Instructure, no passwords, dates of birth, identity documents, bank details or other special category personal data were leaked.

Be alert to phishing

Dutch universities are taking the incident very seriously. The universities concerned have informed their students and staff and are asking them to be vigilant about possible phishing emails following the data breach. In addition, each university has made a provisional notification to the Dutch Data Protection Authority and is in close contact with each other and with SURF.

Further steps will be taken on the basis of additional information from Instructure. The universities have not been approached by the hackers to pay a ransom for the data.