Canvas, digital platform used by universities, back up after ransom hack

Canvas, a widely used learning management platform for thousands of schools and universities, faced a major cyberattack on May 7, causing hours of downtime during spring finals season. Universities including the University of Michigan, Harvard University, and Pennsylvania State University reported disruptions to classes, grades, and coursework due to the outage. The hacking group ShinyHunters claimed responsibility for the breach, alleging that nearly 9,000 schools globally were affected and that personal data of 275 million individuals—students, teachers, and staff—was stolen. The group demanded a settlement from Instructure, the company that owns Canvas, by May 12 or threatened to leak the data. Instructure stated on May 8 that it found no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. However, the company confirmed that names, email addresses, student ID numbers, and internal messages were accessed. By May 8, Canvas was fully restored and operational, according to Instructure’s status updates. The company advised affected institutions to follow their individual security recommendations and warned users to be cautious of phishing attempts or suspicious links related to the incident. Malwarebytes, a cybersecurity firm, recommended additional steps, including changing passwords for accounts linked to Canvas and enabling multi-factor authentication where possible. Instructure also noted that it had contacted impacted organizations on May 5 and that users should report any unusual activity to their institution’s IT or security team. The company emphasized maintaining vigilance against potential follow-up scams.