Stories from the heart of the helpdesk.

What happened

On 6 May 2026, Belgian broadcaster VRT NWS reported that the Canvas learning platform — used by dozens of Belgian and Dutch higher-education institutions — had been hacked. The hacker collective ShinyHunters claimed to be in possession of a database with data from more than 275 million Canvas users worldwide.1

Six Flemish institutions were explicitly affected: the Vrije Universiteit Brussel (VUB), Thomas More Hogeschool, Arteveldehogeschool, Karel de Grote Hogeschool, CVO Gent and the Erasmushogeschool. Another 44 Dutch institutions confirmed they were in the same breach.1

The institutions responded quickly: Canvas was safely restored and affected students and staff received warning emails. The Belgian Data Protection Authority was notified.

What data was leaked

The scope per institution varies — Canvas databases are largely segmented per customer. From the first reports:

• VUB — only school data (study programme, course timetable, class groups). No private information stolen according to the university.
• Arteveldehogeschool — first and last names, email addresses (both work and private), student and staff numbers, and the internal messages users exchanged with one another via Canvas. Passwords not leaked.
• Other institutions — similar combinations of name + email + internal ID, with varying amounts of messages and course data.

Important: passwords were not leaked anywhere. But that's misleadingly reassuring — for the attackers that ShinyHunters typically sells to, passwords aren't the end goal.

Why this kind of data is so dangerous

When an attacker wants to impersonate a student or staff member to an IT helpdesk at a university, they're usually asked one question: "can you identify yourself?". The typical "verification" that follows:

• "What's your full name?" → ✓ from the Canvas leak
• "What's your email address?" → ✓ from the Canvas leak
• "What's your student or staff number?" → ✓ from the Canvas leak
• "Which class group are you in this semester?" → ✓ often also in the Canvas data

With those answers, the attacker completes the identity check and gets a new password at an email address they themselves provide. No technical exploit, no malware. Pure social engineering, fuelled by publicly leaked data.

The ShinyHunters pattern

ShinyHunters is not an amateur group. Since 2020 they have been linked to breaches at Microsoft (source code), AT&T (73 million records), Ticketmaster (560 million customers), Santander, and countless SaaS platforms. Their pattern:

• Compromise a large platform via credential stuffing or supply-chain weakness.
• Exfiltrate as many customer identifiers as possible (not passwords — those are typically hashed and therefore worthless).
• Sell the database via dark-web forums.
• Follow-up attackers use the data for targeted social engineering — especially against helpdesks.

That's exactly why "only school data" isn't harmless. Once an attacker knows what course you're taking this semester or which class group you're in, the phone call sounds far more convincing than someone fishing in the dark.3

What this means for education and MSP helpdesks

The Canvas hack is an education story in the press, but the mechanism is universal. Three reasons why every helpdesk in 2026 is at risk:

• "Standard" verification questions have become worthless. Name + email + internal ID sat in some database that has been leaked. The question isn't if, but when, your customer base will be in circulation.
• Helpdesks are trained to help fast. An agent who refuses to reset a password for an "angry student just before an exam" gets complaints. That pressure plays into the attacker's hand.
• NIS2 enforces strong authentication. Universities and colleges fall under NIS2 as "essential entities" for public services. Asking questions no longer counts as audit evidence.4

How XyloTrust prevents this kind of attack

An attacker on the phone is missing one thing: the passport and face of the real victim. XyloTrust adds exactly that check at the moment of the request, in under thirty seconds:

• The agent clicks "Verify requester" in the Freshdesk ticket.
• The requester receives an SMS with a one-time link to our external identity-verification provider.
• They complete a short ID flow: scan of passport or eID, plus a live selfie.
• Passed? The helpdesk continues. No match between document and face? No reset. Done.

The leaked Canvas data — name, email, student number — is suddenly worthless to the attacker. They can't pass passport + selfie. Identity is no longer what you know, but what you are.

Final thought

The Canvas hack is symptomatic of a broader phenomenon: every large SaaS database is a potential social-engineering arsenal. ShinyHunters has now turned to education — last year it was telcos (Orange, T-Mobile), the year before casinos (MGM), the year before banks (Capital One). The pattern repeats; only the victim changes.

For education institutions and MSPs serving education customers, this means one thing: the era when "do you know your student number?" counted as a safe check is over. XyloTrust is our answer to that — a second factor that's not sitting in a database which may be offered on a forum within the year.