Canvas system is online after a cyberattack disrupted thousands of schools
Tens of thousands of students studying for final exams around the world Friday regained access to a key online learning system after a cyberattack knocked it offline, throwing schools and universities into chaos.
A hacking group called ShinyHunters claimed responsibility for the breach at Canvas, said Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft. Instructure, the company behind Canvas, said in an update late Thursday that the system was available for most users.
Canvas is used to manage grades, course notes, assignments, lecture videos and more. The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, Connolly said.
Screenshots Connolly provided showed that the group had been threatening to leak the trove of data. By Friday, Instructure and Canvas had been removed from a dedicated leak site created by the ransomware group on the dark web to publish stolen data, he said.
Canvas went down Thursday at the worst possible time, which came as no surprise to Huseyin Can Yuceel, the security research lead at Picus Labs.
“Timing is everything, because they want to inflict pain as much as possible,” he said, “so they can extort money out of it.”
Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files that not long ago were committed to paper in locked cabinets. Past attacks have hit Minneapolis Public Schools and the Los Angeles Unified School District.
Instructure has not posted about the attack on its social media. The company didn’t immediately respond to emails from The Associated Press asking whether it paid a ransom and inquiring about what happened with the compromised data.
Students quickly took to social media, with many panicking that they could no longer view course materials housed within the platform to study for their final exams.
Teachers said they were having to find workarounds to help students study for exams and submit final assignments. And some schools, such as the University of Texas at San Antonio, announced they were pushing back finals scheduled for Friday in response to the outage.
Schools like Princeton University turned to the social platform X late Thursday to announce that Canvas appeared to be working and information technology staff was monitoring the situation.
Rhongho Jang, a computer science professor at Wayne State University in Detroit, was finalizing grades for a class of 94 students when the system went down. He keeps paper copies of the student exams, but all of the semester assignments were done online.
“That’s 50% weight for the final grading,” Jang said.
If those assignments and grades could not be recovered, Jang would have given his students full credit.
“I didn’t want to penalize them,” he said. “We cannot judge based on the data we don’t have. The final responsibility is still on the server.”
Although he was sure the data was saved and would be recovered, Jang was relieved when Canvas came back up.
Allan Liska, of the cybersecurity firm Recorded Future, said the outage did appear deliberate, not a glitch, and that Instructure was trying to figure out how widespread the problem was and make sure the hackers were no longer inside its system.
“There’s no indication at this point that any ransom has been paid,” Liska said. “And it likely is still a little too early for a ransom to have been paid. You know, normally these negotiations kind of drag on for a while.”
Liska said nothing big has been leaked yet, but said that is common. “Once they’ve leaked, they’ve lost their leverage.”
Connolly said the Canvas attack is strikingly similar to a breach at PowerSchool, which also offers learning management tools. In that case, a Massachusetts college student was charged.
Connolly described ShinyHunters as a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom. The group also has been tied to other attacks, including Live Nation’s Ticketmaster subsidiary.
ShinyHunters, or an offshoot, also was behind a previous smaller breach of Instructure, Liska said. He added that the group or someone pretending to be ShinyHunters issued a statement Friday indicating that it had nothing to say.
“It’s very weird,” Liska said, noting that the group is “normally a very talkative bunch.”
