{"id":646188,"date":"2026-05-08T08:10:05","date_gmt":"2026-05-08T06:10:05","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=646188"},"modified":"2026-05-08T15:56:59","modified_gmt":"2026-05-08T13:56:59","slug":"south-african-schools-and-universities-hit-by-global-hack","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/646188-south-african-schools-and-universities-hit-by-global-hack.html","title":{"rendered":"Wits University, Stadio, and Spark Schools hit by global hack"},"content":{"rendered":"\n

Universities and schools in South Africa, including the University of the Witwatersrand and the Stadio private higher education institution, have been struck by a hack of their learning management platform.<\/p>\n\n\n\n

International cyber-extortion group Shinyhunters claimed responsibility for the hack and takeover of the Canvas learning platform, which supports over 9,000 educational institutions worldwide.<\/p>\n\n\n\n

“Shinyhunters has breached Instructure (again). Instead of connecting with us to resolve it, they ignored us and did some ‘security patches,'” Shinyhunters said in a note displayed on Wits’ platform Ulwazi.<\/p>\n\n\n\n

Instructure is an American educational technology company that developed Canvas. On Friday, the company disclosed that it had suffered a cyber incident and was working with third parties to resolve it.<\/p>\n\n\n\n

Ulwazi used Canvas as its backbone, which the group targeted. The platform is critical to all the university’s learning processes and is used by students in every module and course.<\/p>\n\n\n\n

Educational institutions used Canvas-based learning management platforms to organise coursework and assignments and facilitate online learning.<\/p>\n\n\n\n

Shinyhunters claimed it exfiltrated private data from Canvas and the institutions that use it, and is threatening to leak it unless payment is made.<\/p>\n\n\n\n

“If any of the affected schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately to negotiate a settlement,” it said.<\/p>\n\n\n\n

Shinyhunters is a criminal cyber-extortion group believed to have been formed in 2019, which has claimed responsibility for numerous major data breaches across the globe.<\/p>\n\n\n\n

In the past, the group leaked information from institutions that have not paid their ransom on the dark web. It has not been publicly revealed how much it was trying to extort from Instructure or institutions.<\/p>\n\n\n\n

Students see ransom note<\/h2>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n

According to Shinyhunters’ list of thousands of affected institutions, Wits University, Stadio, Milpark Education, Invictus Education Group, SPARK Schools, and a few others have been affected by the attack.<\/p>\n\n\n\n

SPARK Schools told MyBroadband, after the publication of this article, that it had not been affected by the hack, despite being named by the hackers on its list of affected companies. <\/p>\n\n\n\n

“Instructure has confirmed that SPARK Schools has not been affected,” it said, and added that it implemented a full password reset for all scholar and teacher Canvas accounts as a precaution.<\/p>\n\n\n\n

“We continue to actively monitor the situation in collaboration with our technology partners to ensure the ongoing security of our systems and data.”<\/p>\n\n\n\n

Students at Wits University have posted the cyber-extortion group’s message embedded in the Ulwazi platform to social media, providing some confirmation of Shinyhunters’ claim.<\/p>\n\n\n\n

Wits has since removed the Shinyhunters notification, and Ulwazi now shows that it is under maintenance. Wits was the only major public university in South Africa on the list.<\/p>\n\n\n\n

“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions,” Instructure said in a statement.<\/p>\n\n\n\n

This included information “…such as names, email addresses, and student ID numbers, as well as messages among users.” It said passwords, dates of birth, IDs or financial information were not affected.<\/p>\n\n\n\n

The criminal group said that data from 275 million individuals “ranging from students, teachers, and other staff” containing private information was obtained in the hack. It is believed to be 3.65TB in total.<\/p>\n\n\n\n

It also included billions of private messages among students and teachers, and students’ messages were stolen. Shinyhunters also claimed a breach of Instructure’s Salesforce instance.<\/p>\n\n\n\n

Shinyhunters set a deadline of 12 May 2026 for institutions to pay the settlement “before everything is leaked.”<\/p>\n\n\n\n

South African educational institutions respond<\/h2>\n\n\n\n
\"\"
Stadio’s Centurion campus.<\/figcaption><\/figure>\n\n\n\n

Wits contacted MyBroadband at 12:01 on Friday and indicated that the Ulwazi platform had been restored after it was replaced by the Shinyhunters notice. <\/p>\n\n\n\n

“Yesterday, Instructure informed Wits and other universities across the world of a data breach to its systems,” the university said. <\/p>\n\n\n\n

“This appears to be because of an attack by a cyber extortion group. It seems like approximately 8,800 education institutions worldwide are affected by this incident.” <\/p>\n\n\n\n

It said that student and staff names, email addresses, student numbers and conversations contained within the Ulwazi inboxes were affected by the breach.<\/p>\n\n\n\n

Instructure initiated a forensic investigation, and further details will be shared as more information becomes available. Wits urged caution among its students.<\/p>\n\n\n\n

“We urge all students and Ulwazi users to be alert to unsolicited emails or messages appearing to come from Ulwazi or the University,” it shared. <\/p>\n\n\n\n

“Particularly any requesting login credentials or personal information. Do not click on suspicious links or attempt to download any files associated with this incident.”<\/p>\n\n\n\n

Stadio told MyBroadband that it found no evidence that its systems or data, including student data, have been compromised.<\/p>\n\n\n\n

“We are continuing to monitor the situation closely and are engaging with the provider to understand the full scope of the incident,” said Dr Stan du Plessis, CEO of Stadio. <\/p>\n\n\n\n

“Stadio students access Canvas via secure Microsoft 365 authentication, which adds an additional layer of protection within our broader digital environment.” <\/p>\n\n\n\n

The private educator said that it would inform any students or staff as soon as emerging risks are identified and more information becomes available. <\/p>\n\n\n\n

\n\n\n\n

Wits Ulwazi platform showing Canvas error message<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n","protected":false},"excerpt":{"rendered":"

Wits University, Stadio Spark Schools, and several other local institutions have been affected by a global ransomware attack.<\/p>\n","protected":false},"author":341213,"featured_media":646203,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[105089,105088,95129,105090,93289,30514],"class_list":["post-646188","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-canvas","tag-instructure","tag-shinyhunters","tag-spark-schools","tag-stadio","tag-university-of-the-witwatersrand"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646188"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=646188"}],"version-history":[{"count":12,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646188\/revisions"}],"predecessor-version":[{"id":646345,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/646188\/revisions\/646345"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/646203"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=646188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=646188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=646188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}