A cyberattack on Instructure, the parent company of the Canvas learning management system, resulted in a data breach and a temporary service outage that disrupted students and faculty at thousands of educational institutions worldwide during the final exam period.
Incident Overview
On Thursday, May 11, Canvas experienced a security incident that led to the platform being taken offline. Instructure detected unauthorized changes to pages displayed to logged-in users and suspended the system to investigate. The company reported that the unauthorized actor exploited a vulnerability related to Free-for-Teacher accounts, which were subsequently shut down. Canvas service was restored later that day, with the company stating the platform was "now available for most users."
Timeline of Events
- Saturday, May 6: A hacking group known as ShinyHunters claimed to have initiated a data breach of Instructure's systems.
- Thursday, May 11: Canvas became inaccessible to users at multiple institutions. Around 3:30 p.m. Eastern time, some users reported being redirected to a message from ShinyHunters. By approximately 4:20 p.m., the site displayed a maintenance message. Instructure later took the system offline.
- Post-Incident: Instructure reached an agreement with the hackers for the return and deletion of the stolen data.
Nature of the Breach
ShinyHunters claimed responsibility for the attack and stated that data from approximately 275 million individuals associated with nearly 9,000 schools had been accessed. The group posted a list of affected institutions and initially set a deadline of May 6 for responding to ransom demands, which was later extended to May 12.
Instructure confirmed that the compromised data included student ID numbers, email addresses, names, and user messages. According to Steve Proud, Instructure's chief information security officer, the investigation found no evidence that passwords, dates of birth, government identification numbers, or financial information were compromised.
Resolution with Hackers
Instructure announced that it reached an agreement with the hackers to delete the stolen data. The company received the data back and obtained "shred logs" as digital confirmation of the deletion. Instructure did not disclose whether a payment was made. The company acknowledged there is no guarantee of complete data erasure but characterized the action as providing "additional peace of mind" to customers. Instructure is working with forensic experts to review the data and enhance system security.
Impact on Educational Institutions
Multiple universities and school districts reported disruptions. Institutions confirming outages or taking precautionary measures included:
- Penn State University
- University of Wisconsin-Madison
- Columbia University
- Harvard University
- UCLA
- Northwestern University
- University of Chicago
- University of Illinois Chicago
- University of Illinois
- Union College New Jersey
- University of Amsterdam
K-12 school districts, such as Montgomery County Public Schools in Maryland and Spokane Public Schools in Washington, also reported impacts.
Some schools postponed or canceled exams. Penn State canceled tests scheduled for Thursday and Friday at its Pollock Testing Center. The University of Illinois postponed all finals through Sunday. Baylor University delayed Friday exams. Other schools, including the University of California and Montgomery County Public Schools, either kept Canvas disabled or advised against using it as a precaution.
Affected Data and Scope
Canvas is used by approximately 30 million users, including roughly half of higher education institutions in North America. Instructure stated that the breach involved data from users globally, including 44 institutions in the Netherlands. The company has not confirmed the total number of individuals affected by the breach.
Security Recommendations
Following the incident, cybersecurity professionals advised users to remain vigilant for phishing messages and to use password managers and multi-factor authentication. Experts noted that educational institutions may suspect attackers still have access to their systems and are taking additional security precautions.
Background on the Threat Actor
ShinyHunters is described as a loose affiliation of individuals, including teenagers and young adults from the United States and the United Kingdom. The group has previously claimed responsibility for other cyberattacks, including a 2024 breach of Live Nation's Ticketmaster.