Cyberattack on Canvas disrupts exams at universities worldwide

A cyberattack on Canvas, a widely used education platform owned by Instructure, disrupted final exams for thousands of students in the US, Canada, and Australia during critical exam season. The hacking group ShinyHunters claimed responsibility, alleging access to billions of records across nearly 9,000 institutions, though these claims remain unverified. Instructure confirmed unauthorized access to fields like usernames, email addresses, and course enrollment data but stated core learning materials, submissions, and credentials were not compromised. Outages began Thursday morning, with students reporting inability to access revision materials or submit assignments. By Thursday evening, Instructure announced partial restoration for most users, but several universities, including Mississippi State and Idaho State, postponed or canceled exams due to lingering disruptions. Penn State warned students resolution was unlikely within 24 hours, while institutions like Virginia Tech and the University of British Columbia issued warnings about phishing attempts linked to the attack. The disruption occurred at a critical time for students. At Mississippi State University, a meteorology student reported a ransom message appearing mid-exam, reading: 'ShinyHunters has breached Instructure (again).' The message demanded bitcoin payment to prevent public release of stolen data. Universities reassured students that core exam work remained unaffected, though confusion and frustration persisted over potential reassessments. In Canada, the University of British Columbia and University of Toronto confirmed Canvas outages due to the cyber breach. The University of Iowa’s IT director described the incident as a 'national-level cyber-security issue,' emphasizing the scale of the disruption. As of Friday, some institutions continued reporting intermittent access issues, with Instructure advising affected users to monitor updates.