Back
Technology

Canvas Online Learning Platform Disrupted by Reported Breach

Generated on: Last updated: 4 sources
View source

Canvas Outage Disrupts Global Education During Finals

A security incident involving Instructure, the parent company of the Canvas learning management system, led to a temporary outage on Thursday, disrupting access for students and faculty at thousands of educational institutions globally during final examination periods.

Incident Timeline

On Thursday afternoon, users began reporting access issues. According to reports from Harvard University's student newspaper, Canvas remained accessible to its affiliates until at least 2:00 p.m.

By approximately 3:30 p.m., the site began redirecting to a message from a group identifying itself as ShinyHunters. The group claimed to have breached Instructure.

By 4:20 p.m., the site displayed a message indicating scheduled maintenance. Multiple sources confirmed Canvas was inaccessible to users at several universities, including Penn State, University of Wisconsin-Madison, Columbia University, UCLA, Northwestern University, University of Chicago, and the University of Illinois.

Instructure later stated that Canvas was "now available for most users" and restored access later that day.

"Canvas was restored for most users later that day."

Details of the Incident

Instructure confirmed that an unauthorized actor made visible changes to user accounts, prompting the company to take the platform offline. The company stated that the actor exploited a vulnerability related to Free-For-Teacher accounts, which were temporarily shut down.

Instructure reported that the incident involved:

  • Names
  • Email addresses
  • Student ID numbers
  • User messages

The company stated that passwords, birth dates, government identifiers, and financial information were not compromised.

ShinyHunters' Claims

The group ShinyHunters claimed responsibility for the incident. The group stated that an initial breach on Saturday involved data from 275 million students, teachers, and staff at nearly 9,000 schools worldwide.

The group posted messages on the Canvas platform, accusing Instructure of ignoring their outreach and issuing "small security patches." They urged affected schools to contact a cyber advisory firm and negotiate a settlement before deadlines on Thursday and May 12, or potentially risk data being leaked.

Affected Institutions and Response

Multiple universities reported significant impacts:

  • Penn State canceled tests scheduled for Thursday and Friday at its Pollock Testing Center.
  • University of Illinois postponed all finals through Sunday.
  • Baylor University delayed Friday exams.
  • Montgomery County Public Schools in Maryland and the University of California system kept Canvas disabled or advised against its use as a precaution.
  • University of Amsterdam, one of 44 Dutch institutions affected, recommended password changes.

"HUIT was actively investigating the situation."

Harvard University Information Technology spokesperson Tim Bailey stated the university was "aware that the Canvas platform is currently unavailable due to a cyber incident" and that HUIT was "actively investigating."

Background

The cybersecurity group ShinyHunters has been described by threat analyst Luke Connolly of Emisoft as a "loose affiliation of teenagers and young adults." The group has claimed responsibility for other incidents, including a 2024 data breach of Live Nation's Ticketmaster.

Cybersecurity expert Rachel Tobac advised users to remain vigilant for phishing messages and to use password managers and multi-factor authentication.

Canvas is used by 30 million users, including half of higher education institutions in North America. Schools have been frequent targets for cyberattacks, with past incidents affecting Minneapolis Public Schools and Los Angeles Unified School District.