Ottawa-area university students and faculty are being urged to change their passwords and stay alert for phishing attempts after a major cyberattack hit Instructure, the company behind Canvas — the online learning platform used at both the University of Ottawa and Carleton University.
What Is Canvas and Why Does It Matter?
If you've studied at a Canadian university in the last decade, you've almost certainly used Canvas. It's the digital hub where students submit assignments, access course materials, message professors, and track grades. Instructure, the American company that runs the platform, serves hundreds of post-secondary institutions across Canada and the U.S., making it a high-value target for cybercriminals.
Last week, hackers breached Instructure's systems and made off with a significant amount of data. The full scope of what was taken hasn't been publicly disclosed, but breaches of this kind typically expose names, email addresses, institutional login credentials, and course enrollment records — enough for bad actors to craft convincing phishing attacks.
A Deal With the Hackers
In a move that's becoming more common but no less controversial, Instructure struck a deal with the hackers — reportedly agreeing to a payment in exchange for the deletion of the stolen data. It's a murky resolution that cybersecurity experts are skeptical of.
"There's no way to verify the data was actually deleted," one researcher noted. "You're trusting criminals to hold up their end of a bargain."
The negotiation does suggest the breach was a data-extortion attack rather than a ransomware lockout — meaning the hackers' goal was to extract a payout, not to disable the platform itself.
What Ottawa Students Should Do Right Now
If you're enrolled at uOttawa, Carleton, or any other Canadian institution that uses Canvas, don't wait for official guidance — take steps now:
- Change your Canvas password immediately, and update any other accounts where you've reused that password
- Enable two-factor authentication on your student email and institutional accounts
- Watch for phishing emails that reference Canvas, your university, or your courses — attackers can use the exposed data to craft convincing fakes
- Report anything suspicious to your institution's IT help desk
Neither uOttawa nor Carleton has publicly confirmed how many of their users were affected, but both campuses have been monitoring the situation.
A Growing Threat to Canadian Campuses
This isn't an isolated incident. Canadian universities have faced a wave of cyberattacks in recent years, and schools are increasingly attractive targets — they hold enormous amounts of personal and financial data, often run a mix of modern and legacy systems, and rely heavily on third-party software vendors like Instructure.
The challenge is that no matter how strong a university's own cybersecurity posture, a vendor breach can expose their community just as badly. When you hand your data to a third party, you're trusting their security team too.
For Ottawa students juggling exams and end-of-semester deadlines, this is an unwelcome distraction — but taking five minutes to update your passwords now is a lot easier than dealing with a compromised account later.
Source: Global News Ottawa
