Thousands of schools across the United States faced significant disruption on Thursday after the education technology company Instructure shut down access to its widely used Canvas platform due to a data breach by hackers identified as ShinyHunters.
Higher education institutions have become frequent targets for ransomware and data extortion, but the scale of this cyberattack—targeting a single software platform—has had unprecedented impact. Instructure entered "maintenance mode" as the hackers, who had been attempting to extract a ransom since May 1, exacerbated the situation just as many students were studying for finals and completing end-of-year assignments.
Prominent universities including Harvard, Columbia, and Rutgers issued alerts to students regarding the breach. ShinyHunters claimed that over 8,800 schools were affected, though the full extent of the breach remains uncertain. The Canvas platform experienced downtime throughout the day, complicating matters further.
Instructure’s Chief Information Security Officer, Steve Proud, reported in their log that the incident involved compromised user information including names, email addresses, and student ID numbers. By the end of Wednesday, Instructure claimed that the Canvas platform was operational again, but another status update on Thursday indicated that users were experiencing login issues. Shortly thereafter, Canvas was placed into maintenance.
As the day progressed, reports emerged of secondary attacks, including defaced school login pages displaying messages from the hackers. Harvard’s Canvas portal was altered to include a list of purportedly affected institutions and a warning for those schools to negotiate with the group by May 12 to prevent data leaks.
Though Instructure has yet to comment on the ongoing outages, the implications of the breach are severe, given the potential exposure of sensitive student information. ShinyHunters has a history of large-scale data breaches and is associated with various cybercriminal activities.
The identity of those behind the ShinyHunters name is unclear, with some cybersecurity experts suggesting connections to previously known hacker groups. The ShinyHunters affiliate stated on a dark web site that Instructure had not engaged in negotiations with them to prevent the release of data, which they claimed illustrated the company’s indifference to the situation affecting students and institutions.
Despite the hackers temporarily removing references to Instructure from their site by Thursday evening, many institutions are still grappling with the aftermath of the attack. Experts note that this incident underscores the urgent need for collective international efforts to combat cybercrime, especially as repeat offenders like these escalate their attacks over time, intensifying the risk for organizations worldwide.
