Universities across the United States, Australia and Europe faced disruption after a cyberattack hit Canvas, a widely used online learning platform used for assignments, exams, grades and communication. The outage affected access at several institutions during final exam season, while schools also warned that student information may have been exposed in the breach.
Canvas, operated by Instructure Inc., is used by more than 8,000 universities and K-12 schools worldwide. The platform went down for several hours on Thursday, affecting students and teachers across campuses.
Universities including the University of Michigan, Harvard University, Stanford University, Yale University, Columbia University, Princeton University and Rutgers University reported issues linked to the platform. Australia’s Adelaide University and the University of Oslo in Norway also experienced disruptions.
Instructure, which provides Canvas to about half of all colleges and universities in North America, said late Thursday that the software was available again for most users. However, the company said Canvas Beta and Canvas Test services remained under maintenance.
The company had earlier said it was investigating the outage. On May 1, Instructure disclosed that it had experienced “a cybersecurity incident perpetrated by a criminal threat actor.”
A New York Times report quoted Steve Proud, Instructure’s chief information security officer, saying that the company had brought in forensic experts to reduce the impact of the breach.
In an update shared the next day, Proud said compromised information included names, email addresses, student ID numbers and messages exchanged on Canvas.
The company said it found no evidence that passwords, birth dates, government identification details or financial information had been accessed. Instructure added that the breach had been “contained” as of May 2.
Some universities warned students to stay alert for cyber threats following the breach. Baylor University warned users about phishing emails from attackers pretending to be university IT staff.
An email sent to students at Barnard College in New York said the outage appeared to be “the result of a previous cyberattack on Instructure.”
Cybercrime group ShinyHunters claimed responsibility for the breach in a dark web post and messages displayed on some students’ Canvas pages. The group claimed it had accessed data from more than 275 million people across nearly 9,000 schools, according to a ransom note shared by Ransomware.live on May 3.
In the message, the group claimed it breached Instructure “again” after the company “ignored us and did some ‘security patches.’”
ShinyHunters threatened to leak data on May 12 if the company failed to respond. In an earlier ransom note, the group claimed it possessed “several billions of private messages among students and teachers.”
The hackers also urged affected schools, including Duke University and the University of Maryland, to contact cybersecurity experts and negotiate a settlement.
Later, some students reported seeing the hackers’ message replaced with an alert stating that Canvas was “currently undergoing scheduled maintenance.”
ShinyHunters is known for targeting companies to steal personal records and demand extortion payments. The group has previously targeted Ticketmaster, Microsoft and AT&T, along with education-related companies such as Infinite Campus and textbook publisher McGraw Hill.
The incident adds to growing cybersecurity concerns in the education sector, where universities and schools have increasingly become targets because of the large amount of student and staff data they store.
