A cyberattack on Canvas, the learning management system used by thousands of K-12 schools, colleges, and universities, knocked the platform offline Thursday, May 7, leaving millions of students and faculty without access to course materials at the worst possible moment — as many schools and colleges approach finals.
The hacking group ShinyHunters claimed responsibility for the breach, posting a list on a dark web site that named more than 8,800 institutions as affected. Instructure, the parent company behind Canvas, placed Canvas, Canvas Beta, and Canvas Test into maintenance mode while it investigated. While the company is reporting that it restored access for most users late Thursday evening, there are still many reports on social media about outages.
What Was Exposed: Instructure has said the stolen data appears to include names, email addresses, student ID numbers, and messages users exchanged on the platform. The company has stated it found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.
The hackers have given Instructure until May 12 to pay a ransom, or they say they will leak the data publicly. An earlier deadline on May 8 has already passed, and cybersecurity researchers tracking the group say extortion negotiations may still be ongoing.
The Scope of Disruption: Canvas has more than 30 million active users globally and over 8,000 institutional customers, according to Instructure. Inside Higher Ed reports Canvas is used by roughly 41% of higher education institutions in North America, making it the dominant Learning Management System (LMS) in the region.
Some of the impacted colleges include Harvard, Columbia, Rutgers, Georgetown, the University of Pennsylvania, Virginia Tech, the University of New Mexico, the University of Florida, Johns Hopkins, Duke, and the University of Iowa.
The University of Texas at San Antonio pushed back Friday finals. The University of California system temporarily blocked or redirected Canvas access at its locations as a precaution.
Disruptions were also reported in the United Kingdom, Australia, New Zealand, Sweden, and the Netherlands, where 44 institutions were affected.
Two Major Risks For Students: Beyond the threat of leaked personal data, some students and faculty have raised concerns about the integrity of grades and assignment records housed in Canvas. Final grades, submission timestamps, and academic records all flow through the platform. Some students at Johns Hopkins reported error messages when trying to view final grades Thursday. And if there are issues, what are schools doing to move deadlines and validate information?
The University of Florida warned students to watch for phishing emails posing as Canvas notifications — a common follow-up tactic after a major breach.
What to Watch: The May 12 is the next ransom deadline. If Instructure does not negotiate, the data could be posted publicly on the dark web. Schools have begun notifying students and parents and are likely to roll out free identity protection services, as has become standard after large breaches of this size. Lawsuits will also likely follow.
How this Connects: Education technology has become a high-value target for ransomware crews. The Canvas breach closely resembles the recent attack on PowerSchool, another major learning management vendor, which exposed records on tens of millions of students and led to federal charges against a Massachusetts college student. Past attacks have also hit Minneapolis Public Schools and the Los Angeles Unified School District.
For students worried about identity theft, a free security freeze with all three credit bureaus (Equifax, Experian, and TransUnion) remains the most effective protection, along with monitoring your credit.
It’s also a good moment to change your passwords, especially if you use the same password to login to Canvas as other tools.
Student loan borrowers should be especially alert: stolen email addresses are often used to launch fake servicer or financial aid scams.
It’s important to remember that most people’s data has already been stolen, so the key is ensuring that your vigilant against it’s misuse.
Don’t Miss These Other Stories:
