Canvas hacked ahead of finals week

The learning management platform Canvas was hacked on May 7 at around 1 p.m., just before finals week began at California State University, Northridge (CSUN). The attack disrupted access for students across the platform, with desktop users seeing a message from hackers demanding negotiations to prevent data leaks. By 1:45 p.m., this message was replaced with a generic maintenance error, while the mobile app displayed various errors. The incident impacted over 50% of U.S. higher education institutions, affecting an estimated 9.64 million students nationwide. Instructure, Canvas’s parent company, confirmed a cybersecurity breach on May 6, stating in an incident report that a criminal group compromised sensitive data. Instructure Chief Information Security Officer Steve Proud noted the company was working to contain the breach and minimize its impact. By 1:15 p.m. on May 6, Instructure claimed the threat had been neutralized and Canvas was fully operational. However, CSUN students remained locked out, with the university’s Information Security Officer, Kevin Krzewinski, urging vigilance in an alert. The hackers, identifying as ShinyHunters, claimed access to student names, personal emails, and Canvas messages, though Instructure stated no passwords, Social Security numbers, financial data, or birthdates were stored on the platform. ShinyHunters, a threat actor group active since 2020, has previously stolen over 200 million records from 13 companies. The breach’s full scope and CSU’s mitigation efforts remain unclear, leaving students unable to access exams, assignments, or projects as finals week approaches. Instructure has not confirmed the extent of exposed data, though hackers have made specific claims about the information in their possession.