Several South African education institutions have been caught up in a global cyberattack targeting Canvas, a widely used learning management platform. Among those named are the University of the Witwatersrand, Stadio, Milpark Education, Invictus Education Group and SPARK Schools.

The attack has been claimed by ShinyHunters, an international cyber-extortion group that says it breached Instructure, the US-based technology company behind Canvas. Instructure disclosed on Friday that it had suffered a cyber incident and was working with third parties to respond.

At Wits, the hack struck Ulwazi, the university’s Canvas-based learning platform. Students shared screenshots on social media showing a message from ShinyHunters embedded on the site. Wits later removed the notice, and Ulwazi was placed under maintenance.

Hackers claim huge trove of private data

ShinyHunters says it stole private data from Canvas and from institutions using the platform. The group is threatening to leak the information unless a settlement is reached before 12 May 2026.

Instructure said early indications suggest the affected data includes identifying information for some users, such as names, email addresses, student numbers and messages exchanged on the platform. The company said passwords, dates of birth, IDs and financial information were not affected.

ShinyHunters, however, claims the breach is far larger. The group says it obtained data linked to 275 million individuals, including students, teachers and other staff, as well as billions of private messages. It also claims to have breached Instructure’s Salesforce instance. Those claims come from the hackers and have not been independently verified in the source material.

Why this attack matters

Canvas is central to learning at many institutions. It is used to manage coursework, assignments and online teaching. That means a breach does not just raise privacy concerns. It can also disrupt day-to-day education at scale.

At Wits, Ulwazi supports teaching across all modules and courses. If sensitive student and staff communications were exposed, the fallout could stretch well beyond technical downtime.

Pressure grows on affected institutions

ShinyHunters has a history of leaking data from victims who do not pay. The group said schools wanting to prevent publication of their information should work through a cyber advisory firm and contact it privately.

For now, the key questions are how much data was truly taken, which South African users were affected, and how institutions will respond. The hack is another warning that when global education platforms are hit, the consequences land quickly in South African classrooms too