Canvas Cyber Incident Disrupts Universities
A cyberattack on Instructure, the company behind the popular education platform Canvas, has forced multiple universities across the US to reschedule final exams. The attack, which was claimed by the ShinyHunters cybercriminal gang, resulted in a message being displayed to students and teachers as they navigated through Canvas, urging schools to negotiate a ransom by May 12.
The message was quickly removed by Instructure, and the entire Canvas platform was taken down for several hours. This prompted dozens of state schools and large universities, including Baylor University, the University of Texas, and the University of Pennsylvania, to warn students about the outages.
Impact on Universities
The schools affected by the Canvas outages include Iowa State, Duke, the University of Oklahoma, the University of Florida, Northwestern, Princeton, and Ohio State. Several K-12 school districts also reported being impacted. The universities urged students to be wary of phishing messages and to stay away from the Canvas platform until it is confirmed to be safe.
Baylor University noted that Canvas supports learning at 41% of higher education institutions in North America. A spokesperson for Instructure confirmed that hackers made changes to the pages that appeared when some students and teachers were logged in, and that the company had taken Canvas offline to contain access and further investigate.
Investigation and Response
Instructure has notified the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement agencies. The company has also hired cyber experts to investigate the incident. In an FAQ published on Friday morning, Instructure explained that the unauthorized actor exploited an issue related to their Free-For-Teacher accounts, and that they have made the difficult decision to temporarily shut down these accounts.
The company tied Thursday's incident to another cyberattack by the same group that took place last week. After that attack was discovered on April 29, Instructure revoked the hackers' access, started an investigation, and hired cyber experts. The company said it notified schools impacted by the original attack on May 5.
Concerns and Impacts
The attack has set off an array of concerns, with many expressing worry about the leak of sensitive data as well as potentially significant impacts on student grades. Adam Marrè, CISO at incident response firm Arctic Wolf, said groups like ShinyHunters target platforms like Canvas because one breach can expose thousands of organizations at once, maximizing pressure and potential payout.
Marrè noted that the biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate. The attack on Instructure is the latest in a string of high-profile incidents caused by ShinyHunters over the last two years.
The group caused widespread alarm last year with attacks on airlines, insurance companies, and schools like Harvard and the University of Pennsylvania. This year, they initiated another attack campaign that involved home security company ADT, educational company McGraw Hill, and gaming giant Rockstar.
- ShinyHunters originally said last week that it stole 3.6 TB of data that included information from more than 9,000 schools.
- Instructure did not respond to requests for comment about a potential ransom payment.
- The company was removed from the ShinyHunters leak site on Thursday night.
Groups like ShinyHunters target platforms like Canvas because one breach can expose thousands of organizations at once, maximizing pressure and potential payout. - Adam Marrè, CISO at Arctic Wolf
Source: The Record