Canvas hacked for a second time, student’s personal information held for ransom

The hacker group ShinyHunters breached Canvas, the learning management system used by Sacramento State and over 9,000 schools globally, stealing 3.65TB of student data, including personal information from 275 million users. The group demanded a ransom from Instructure, the company behind Canvas, threatening to leak the data publicly by May 12 if demands were not met. Six California State University campuses—Sacramento State, Humboldt, Long Beach, East Bay, Dominguez Hills, Bakersfield, and Channel Islands—were listed among affected schools. CSU resources like CSU Online, Connect, and the Office of the Chancellor were also impacted. The CSU Chancellor’s Office confirmed Canvas is down across all campuses and is working to restore access, calling the breach a top priority for student and employee privacy. ShinyHunters accused Instructure of ignoring their initial contact and applying only ‘security patches’ instead of negotiating. The hackers provided a list of affected schools and instructed institutions to contact them via TOX for private negotiations. Students, including Sacramento State journalism major Carter Chitiva, reported panic over the breach, with concerns over exposed personal data like emails, passwords, and financial information. As of May 7, users cannot access Canvas through its website or mobile app, with the platform displaying a ‘maintenance’ message. The university advised students to email professors for updates and avoid entering any personal information into the system. Neither Sacramento State nor its Information, Resources & Technology Office responded to requests for comment by publication time. The breach follows a previous hack, with no timeline yet for resolution. Students and instructors remain locked out, disrupting academic activities as finals approach. This incident underscores growing cybersecurity risks for educational institutions worldwide.