Thousands of schools and universities across the United States were left scrambling Thursday as Canvas, a widely used learning management system, went offline due to a cyberattack. The disruption comes as students prepare for final exams, highlighting the education sector’s heavy reliance on digital platforms.
The hacking group known as ShinyHunters claimed responsibility for the breach, according to Luke Connolly, a threat analyst at cybersecurity firm Emisoft. Instructure, the company that owns Canvas, has not yet commented on whether the system was taken down as a precaution or directly knocked offline by attackers.
Canvas serves as the backbone for course management, storing grades, lecture notes, assignments, and lecture videos. The group posted online that nearly 9,000 educational institutions worldwide were compromised, with access to billions of private messages and other records, Connolly said.
Students quickly turned to social media to express frustration, noting they could no longer access study materials critical for final exams. Screenshots provided by Connolly indicate that ShinyHunters began threatening to leak the stolen data as early as Sunday, setting deadlines of Thursday and May 12. The later date suggests ongoing negotiations over an extortion payment.
The nation’s schools have increasingly become prime targets for cybercriminals due to the vast amount of digitized sensitive information. Previous attacks have hit Minneapolis Public Schools and the Los Angeles Unified School District. Connolly noted the Canvas incident closely resembles a breach at PowerSchool, a competing learning management platform, where a Massachusetts college student was charged.
Connolly described ShinyHunters as a loosely affiliated group of teenagers and young adults based in the United States and the United Kingdom. The group has also been linked to attacks on Live Nation’s Ticketmaster subsidiary.
Universities and school districts moved quickly to inform their communities. The University of Iowa’s College of Public Health labeled it a “national-level cyber-security incident.” Virginia Tech acknowledged the impact on final exams and other end-of-semester activities. The University of New Mexico sent a similar campus-wide alert, and the University of Florida advised students to watch for phishing messages impersonating Canvas.
Teachers reported scrambling to find workarounds. Damon Linker, a senior lecturer at the University of Pennsylvania, posted on X that students relied on Canvas for all readings and lecture slides ahead of Monday finals. “The outage leaves students and faculty dead in the water here in academia right now,” he said.
Harvard’s student newspaper confirmed the system was down there, and students at Johns Hopkins University received error messages when trying to view final grades. Public school districts, including Spokane, Washington, reassured parents that no sensitive data appeared to be in the breach.
Some institutions, such as the University of Texas at San Antonio, announced they were postponing finals scheduled for Friday in response to the outage. The full extent of the breach and when Canvas will be fully restored remains unclear.
Source: SecurityWeek News