Multiple universities forced to reschedule final exams after Canvas cyber incident

Universities across the U.S. were forced to delay final exams this week following a cyberattack on a popular education software provider.

On Thursday, dozens of students took to social media to say they saw a message from a cybercriminal group as they navigated through Canvas, an educational platform created by Instructure that hosts teaching materials, tests, readings and more. 

The message, from the ShinyHunters cybercriminal gang, said they breached Instructure "again" after the company did not negotiate a ransom following a breach last week. The note urged schools to reach out to the hackers directly to negotiate a ransom by May 12. 

The note was quickly removed by Instructure and replaced with an “under maintenance” landing page. 

Instructure took down the entire Canvas platform for several hours, prompting dozens of state schools and large universities to warn students about the outages, including Baylor University, the University of Texas, the University of Pennsylvania, Iowa State, Duke, the University of Oklahoma, the University of Florida, Northwestern, Princeton and Ohio State. 

Several K-12 school districts also reported being impacted by the Canvas outages. 

The schools urged students to be wary of phishing messages and to stay away from the Canvas platform until it is confirmed to be safe. Baylor University noted in its message that Canvas “supports learning at 41% of higher education institutions in North America.”

A spokesperson for Instructure confirmed to Recorded Future News that hackers “made changes to the pages that appeared when some students and teachers were logged in.”

“Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate. We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts,” the spokesperson explained. 

“As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use.”

In an FAQ published Friday morning, the company added that it has notified the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and international law enforcement agencies. The FBI declined to comment and CISA did not respond. 

Instructure tied Thursday’s incident to another cyberattack by the same group that took place last week. After that attack was discovered on April 29, Instructure revoked the hackers’ access, started an investigation and hired cyber experts. The company said it notified schools impacted by the original attack on May 5.

The company admitted that the same hackers were still inside their systems as of May 7 and conducted the defacement that students saw on Thursday. 

They noted that while information like names, email addresses, student ID numbers and messages among Canvas users was stolen during the first attack, no new data was taken during the incident on Thursday. Instructure did not respond to requests for comment about a potential ransom payment. The company was removed from the ShinyHunters leak site on Thursday night.

Instructure said external cyber experts have “found no evidence that the threat actor currently has access to the platform.” 

ShinyHunters originally said last week that it stole 3.6 TB of data that included information from more than 9,000 schools.

Social media was inundated with posts from students across the U.S., many of whom joked or lamented the attack on Canvas ahead of final exams. 

The attack also set off an array of concerns, with many expressing worry about the leak of sensitive data as well as potentially significant impacts on student grades considering thousands of kids were locked out of the platform. 

Adam Marrè, CISO at incident response firm Arctic Wolf, said groups like ShinyHunters target platforms like Canvas because one breach can expose thousands of organizations at once, maximizing pressure and potential payout. 

“The biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate,” Marrè said. 

The attack on Instructure is the latest in a string of high-profile incidents caused by ShinyHunters over the last two years. The group caused widespread alarm last year with attacks on airlines, insurance companies and schools like Harvard and the University of Pennsylvania before initiating another attack campaign this year that involved home security company ADT, educational company McGraw Hill and gaming giant Rockstar.