Canvas, a platform used by more than 8,000 universities and K-12 schools for course websites, assignments and communication, was shut down for several hours Thursday. A group of hackers has claimed responsibility for a data breach affecting the company that runs the platform, putting at risk the personal data of millions of students and teachers.
Several prominent universities, including the University of Michigan and Harvard, warned students Thursday that Canvas is not available. Across the country, students were preparing for, or already taking, their final exams.
Instructure, which provides its Canvas software to nearly half of all North American colleges and universities, said the software is still under development, and is expected to be “released soon” in a warning posted on its website Thursday evening. The company previously said it was investigating why the software was unavailable.
Instructure did not immediately respond to a request for comment.
ShinyHunters, the hacker group that claims responsibility for the Instructure data breach, said it obtained information from more than 275 million people at nearly 9,000 schools, according to a ransom note shared May 3 by Ransomware.live, which monitors ransomware groups.
An email shared with students at Barnard College in New York said the outage appeared to be “the result of a previous cyberattack on Instructure.”
Instructure disclosed on May 1 that it encountered a “cyber security incident committed by a criminal threat actor.” Steve Proud, chief information security officer at Instructure, said the company has brought in intelligence experts to mitigate the impact of the breach.
In an update shared the next day, Mr. Proud said the compromised data included personal information such as names, email addresses, student ID numbers and Canvas messages.
The company found no evidence that passwords, birthdays, government identifiers or financial information were breached, he said. The violation was “contained” since May 2, Mr. Proud added.
“Canvas is fully functional, and we are not seeing any unauthorized activity going on,” the company said on its website on Wednesday.
ShinyHunters, which is believed to have been founded in 2020, claimed to have violated the law on Thursday in a message that appeared on the pages of Student Canvas and was obtained by the New York Times.
The group said it also breached Instructure after the company failed to contact them to resolve its security issue. Instead, the group said Instructure “ignored us and made ‘security patches.'”
ShinyHunters said in its message that it will leak an unspecified amount of information on May 12 if it is not added to Instructure. In its May 3 ransom note, the group threatened to leak “several billions of private messages between students and teachers.”
The group also encouraged the affected schools, including Duke University and the University of Maryland, to consult with cybersecurity experts and reach a “negotiation of agreement.”
Some readers later saw the ShinyHunters message change to a warning that Canvas is “currently under scheduled maintenance.” The closure appeared to be in effect from 8 p.m
Not much is known about ShinyHunters, but its purpose seems to be to find personal records and sell them. The hacking group has previously targeted Ticketmaster, Microsoft, AT&T and dozens of other companies in the United States and elsewhere.
The group recently focused on education companies, including Infinite Campus, a K-12 student information company, and McGraw Hill, a popular book publisher.
