Was my data actually stolen if I go to U of T, UBC, Western, or OCAD?

Instructure confirmed names, email addresses, student IDs, and personal messages were taken. They say no passwords, financial information, or government-issued ID details were compromised. If your school uses Canvas and you logged in this term, treat your name, email, and student number as exposed. Run the 7-step lockdown anyway. It is faster than figuring out later if you were one of the affected accounts.

Instructure paid the ransom. Why is my data still at risk?

ShinyHunters reset the leak deadline after Instructure paid. The original deadline was end of day May 12. They are now demanding more or threatening to publish the 3.65 TB regardless. Ransom payments to criminal groups never carry guarantees. Assume the data is out there and act accordingly.

Will this affect my scholarship applications or OSAP?

Not directly. OSAP, scholarship providers, and university financial aid offices do not run through Canvas. But scammers will use the leaked data to send fake scholarship offers and tuition-payment scams that look credible because they have your name, school, and email. Verify every funding offer against the official program page. Legit Canadian scholarships never ask for your SIN, banking details, or upfront fees.

Should I change my Canvas password right now?

Yes. Even though Instructure says passwords were not in the stolen set, password reuse is the most common follow-on attack. Change your Canvas password, and change it everywhere else you used the same one. Turn on two-factor authentication on Canvas and your school email.

How do I know if an email about this breach is real or a phishing follow-up?

Your school will post the breach notice on its official student portal and main news page. Cross-check anything in your inbox against the portal. Never click links in emails about the breach. Type your school's URL directly into the browser instead.

Canvas Just Leaked Your Data. Lock Down Tonight.

If you have a Canvas account at a Canadian university right now, your name, email, and student number have probably been stolen. Instructure paid the ransom on May 11. The hackers reset the deadline anyway. Tonight is when this gets real, and the next 14 days are when most of the damage actually happens.

Eight Canadian institutions have been named so far: University of Toronto, UBC, Simon Fraser, University of Alberta, Western University's Ivey Business School, OCAD, Mohawk College, and Ontario Tech. Globally the number is much bigger. 8,809 institutions and roughly 275 million people. This is the largest education breach on record.

The thing is, this is not a funding story. Not directly. But the second-order effects hit your funding hard, because every fake scholarship offer and tuition scam landing in your inbox over the next month will quote your actual name, your actual school, and your actual student number at you. That is what makes the scams work. Your job tonight is to make sure none of them work on you.

TL;DR: what to do in the next two hours

Change your Canvas password and turn on two-factor auth. Do the same for your school email.
Freeze your credit with Equifax Canada and TransUnion Canada. It's free and takes about 15 minutes total.
Set up Google or Apple alerts on your full name plus any of the leaked institutions.
Tell your bank and any service that uses email-based password reset that you might be a target.
For the next 14 days, treat every "scholarship", "tuition refund", or "financial aid" email as a scam until proven otherwise.

The 7-step lockdown

1. Change your Canvas password

Instructure says passwords were not in the stolen data, and they are probably right. But you have no way to verify, and the cost of being wrong is real. Change the password tonight, and pick something that is not used anywhere else.

2. Turn on two-factor authentication on Canvas and your school email

This is the best 90 seconds you will spend on the whole list. With 2FA on, even a leaked password isn't enough to log in as you. Use your school's official 2FA app, or an authenticator app like Authy or Google Authenticator. Don't use SMS for this. SIM-swap attacks get common once criminals know which school you go to.

3. Freeze your credit

In Canada, both Equifax and TransUnion now offer free credit freezes. A freeze stops new credit accounts from being opened in your name. You can unfreeze instantly when you need to apply for a real loan. The whole process takes about 15 minutes.

This is the single best protective step you can take after any breach that exposes personal identifiers.

4. Audit every account that uses your school email for password resets

Your school email is the weakest link. Once someone gets in, they reset every other account that emails a reset link back to that address. Walk through your bank, your e-transfer recipients, any government login (CRA, Service Ontario, ServiceBC, Service Canada). If any of them list your school email as the recovery address, change it to a personal Gmail or Outlook account you control.

5. Set up name and school alerts

Free option: Google Alerts on your full name, your full name plus "scholarship", and your full name plus the name of your school. Set the digest to daily. If you see your name appear in a leak listing or paste, you will know within 24 hours.

6. Tell your bank you might be a target

Call the number on the back of your card. Tell them your university was named in the Canvas breach. Most banks will flag your account for extra verification on large transactions for a few months at no cost. If a scammer tries a tuition wire scam later, the call from the bank catches it.

7. Block the predictable next attack

The scam that works best after a breach like this one is "your scholarship has been awarded, click here to claim". The criminals already have your name, your school, your email. They will sound legitimate. So treat every scholarship, tuition refund, or financial aid email arriving in the next 14 days as a phishing attempt, and cross-check it against the official source before clicking anything. If a Canadian scholarship program is genuinely trying to give you money, the offer will also show up on the program's own website. Type the URL in directly instead of clicking the email link.

Why we're writing about this

Most student funding scams in Canada start by quoting real information at you to build trust. The Canvas breach just gave scammers a clean list of names, schools, and student numbers belonging to actual Canadian students. The next two months are going to bring a wave of fake scholarship and tuition refund emails aimed at this country specifically.

FundMyCourse doesn't host any scholarship applications. We point you to the real providers, and you apply on their site. That's actually useful in a month like this one. A legitimate Canadian scholarship will never ask for your SIN. It won't ask for banking details before you've been awarded. It won't charge an application fee. And it won't email you a "click here to claim your award" link without you ever applying in the first place. Every funding opportunity we list links straight to the provider's own page. If something hits your inbox and you want to verify whether it's real, browse the catalogue and check whether the source URL matches the email you got.

If the breach has rattled you and you want a clean restart on your funding plan, take the 2-minute eligibility quiz. It runs without asking for any identifier we don't need to score you. Your answers stay in your browser.

A few things this is NOT

Your scholarship eligibility hasn't changed. OSAP, Canada Student Grants, and every provincial student aid program run on systems totally separate from Canvas. None of those have been touched in this breach. Your existing aid is safe.

This also isn't something you can sit out by waiting for your university to write to you. They will post a notice eventually. Your inbox will get the scams first.

Sources we used

Last updated 2026-05-12 with ShinyHunters reset of leak deadline. We will update this post if the affected-institution list grows.