Security incident hits Canvas as finals loom for students across US
Thao NguyenCanvas, a cloud-based learning management platform used by thousands of schools and universities, was hacked and disabled for hours as students attempted to access their grades and other class materials on May 7, multiple news organizations and college student newspapers reported.
Colleges and universities across the United States, including the University of Michigan, Harvard University, and Pennsylvania State University, alerted on May 7 that Canvas had reported a security incident and was experiencing an outage. The incident disrupted classes, coursework, and exams amid spring finals week for many schools.
The hacking group ShinyHunters claimed responsibility for the data breach at Instructure, the parent company and creator of the Canvas learning management system, according to The New York Times and CNN. Instructure said Canvas has more than 30 million active users worldwide and over 8,000 institutions as customers.
In a ransom letter shared on May 3 by Ransomware.live, a platform that tracks and monitors ransomware groups, ShinyHunters said it had accessed data from over 275 million people — including students, teachers, and other staff — across nearly 9,000 schools worldwide.
By late May 7, Instructure said in a post on its status page that Canvas was "now available for most users." Earlier, the company said Canvas and other related sites had been placed "in maintenance mode" and it was "investigating an issue where some users are having difficulties logging into Student ePortfolios."
ShinyHunters has a history of compromising global corporations, Reuters reported. In April, the hacking group said it had stolen nearly 80 million business records from video game developer Rockstar Games, the maker of Grand Theft Auto.
Colleges, universities report Canvas security incident
In a message to students and staff on May 7, the University of Michigan said Instructure reported a security incident that was "not specific" to the university and was affecting other institutions that use Canvas.
"Out of an abundance of caution, Information and Technology Services is temporarily removing access to Canvas while our teams investigate and take steps to protect university systems and data," the university said. "Users who are currently logged into Canvas should log out immediately."
Harvard University also reported that the Canvas platform was unavailable due to a cyber incident and noted that it was impacting "many Instructure customers worldwide."
Pennsylvania State University said in a statement that the school and "many other universities" were unable to access Canvas. The university said it does not "expect resolution to occur within the next 24 hours — and it could stretch beyond — tests and other assignments to be completed in Canvas will not be available."
Colleges and universities in Oregon, Ohio, New Jersey, Texas, Indiana, and Wisconsin also reported the Canvas outage and hacking incident, according to USA TODAY Network reporting.
College student newspapers report Canvas breach
The Harvard Crimson, the student newspaper at Harvard, reported that students could not access the site beginning on the afternoon of May 7, with ShinyHunters saying the university was among "thousands of schools allegedly affected by a breach of Instructure, Canvas' parent company."
The Crimson reported that Canvas redirected users to a message from ShinyHunters in which the group claimed responsibility and posted a list of schools that had been breached.
The Daily Pennsylvanian, the student newspaper for the University of Pennsylvania, reported that ShinyHunters said in a message posted on Penn's Canvas page last week that any university that did not wish to have its data released should contact the group before May 12.
Duke University had also been affected by the hack that hit over 9,000 schools, its student newspaper, The Chronicle, said. Student newspapers from the University of California, Los Angeles, the University of California, Berkeley, the University of Nebraska, and others also reported that their institutions had been affected.
Contributing: Reuters