Canvas data breach rattles colleges during finals period : NPR

Image of a notice sent Friday by Georgia Tech’s IT department warning users of the Canvas breach.

Michael Warren/AP

hide caption

toggle caption

Michael Warren/AP

Online education platform Canvas was taken offline after a data breach on Thursday, temporarily leaving students and faculty at thousands of U.S. colleges – and K-12 schools – without access to course materials and communications during the exam period.

“I’m sure that somewhere in the country when the outage happened, there were probably people taking their final exams on the platform when it crashed,” says Damon Linker, an assistant professor of political science at the University of Pennsylvania.

Thirty million users, including half of North America’s higher education institutions, rely on Canvas to manage courses, submit assignments, view grades and facilitate communication, according to its parent company, Instructure.

But when Linker and many other users tried to do so Thursday afternoon, they were met with a black screen and a warning message.

“ShinyHunters has (again) violated Instructure,” it reads. “Instead of contacting us to resolve the issue, they ignored us and applied some ‘security fixes’.”

ShinyHunters is the same entity that took credit for a massive Ticketmaster data breach in 2024. Like many of these groups, it’s a group of young people working together remotely, “kind of like a ransomware gang,” says Rachel Tobac, CEO of SocialProof Security, which trains people and businesses to defend themselves against hackers.

ShinyHunters wrote on a threat intelligence website earlier this week that Saturday’s first breach affected the data — including private messages — of 275 million students, teachers and staff at nearly 9,000 schools worldwide. The group said Thursday that affected schools could prevent the disclosure of their data by consulting with cyber consulting firms and negotiating settlements through the encrypted chat platform Tox.

“You have until May 12, 2026 for everything to be disclosed,” the hackers wrote.

Instructure confirmed a series of cybersecurity breaches this week and provided updates on its website. He said the breach only appeared to involve identifying information such as names, email addresses, student ID numbers and user messages — not passwords, dates of birth, government identifiers or financial information.

Instructure confirmed on an FAQ page that it opened an investigation after first detecting unauthorized activity in Canvas on April 29, and took Canvas offline on Thursday after the same unauthorized actor “made changes that appeared when some students and teachers were logged in.” They said the actor exploited a glitch with his Free-for-Teacher accounts, which he temporarily closed.

“This gives us the confidence to restore access to Canvas, which is now fully back online and available for use,” he said in a statement to NPR. “We regret any inconvenience and concern this may have caused.”

It’s unclear whether Instructure paid a ransom or what the return of access to Canvas could mean for the May 12 deadline for hackers.

Tobac says Canvas could be back online thanks to a successful negotiation or because the hackers “didn’t get very far in their attack.” Regardless, she says users should remain vigilant, especially around phishing messages, whether it’s someone posing as Canvas requesting a password change or posing as a professor sending course materials.

“I would assume there will be repercussions here,” she said.

Not everyone came back online immediately

Just before midnight on Thursday, Instructure posted online that “Canvas is now available to most users,” although two separate services, Canvas Beta and Canvas Test, remained in maintenance mode.

Students and faculty at at least some schools were still unable to access Canvas as of Friday, either because service had not yet been restored or because administrators had warned them to stay away.

Penn State University, for example, said Friday morning that while the school’s access to Canvas had been partially restored, it was “not yet ready for use.”

“Penn State technical teams are actively working to prepare the system for our community,” the statement added. “As access is restored, Canvas integrations and associated services will be brought back online in stages.”

Several schools have taken similar approaches, either temporarily disabling access to Canvas or outright asking users to stay away. The University of California said in its schools: “Access to Canvas will not be restored until we are sure the system is secure. »

And it’s not just higher education: Maryland’s Montgomery County Public School System alerted families Friday morning that even after service returns, it “continues to test and review systems before restoring access.”

Tobac says this could mean schools believe attackers could still be in their systems, potentially stealing information such as passwords and messages.

“The attackers likely obtained sensitive information and… [schools] I don’t want this information published online,” she says.

Many schools are urging users to be on high alert for any unsolicited emails or messages appearing to come from Canvas, especially those asking for login information, as Georgetown University has warned. The University of Amsterdam, which says it is one of 44 Dutch educational institutions affected, also recommends users change their password on any other site where they use the same one.

Tobac also recommends using a password manager – to generate long, random passwords for each login – and enabling multi-factor authentication for all online accounts, not just Canvas. She says any student or professor who receives a suspicious call, text or email should “use another method of communication to verify what is authentic.”

“Even if there hadn’t been a violation yesterday, I would say these are the things I recommend you do,” she adds, inviting people to “be politely paranoid.”

Breach disrupts finals and highlights vulnerabilities

Several schools affected by this breach have already postponed or scrapped some final exams altogether, while others have warned students and faculty that they may have to do so.

The University of Illinois is postponing all scheduled final exams and assignments until Sunday. Penn State canceled some exams scheduled for Thursday evening and Friday, saying it was working with professors to “determine next steps for final grading” and urging students to regularly check their email (not Canvas) in the meantime. And Baylor University delayed Friday’s exams and asked all professors to send students “any study materials they have on their local computers as soon as possible.”

This breach highlighted the extent to which academia depends on a single, centralized platform.

UPenn’s Linker told NPR he received an influx of panicked messages from students Thursday afternoon when they suddenly couldn’t access PowerPoints, readings and past exams as they tried to study for Monday’s final.

“The problem with using a platform like Canvas is that most [students] “The available results will not be printed or stored on their laptop,” he explains. “Everything is on the online platform, and if that platform goes down, they have no way to access it.”

He told students Thursday that he would upload course materials to another platform (like Dropbox or Google Docs) if access to Canvas was not restored by Friday morning. Fortunately, he said, he came back online shortly before 9 a.m. ET.

But Linker says he’s wary of relying fully on Canvas in the future.

“Given what this revealed, the vulnerability involved and also the concerns around data breaches, I’m starting to wonder if this is really a wise way to go,” he says.

An example of this is scoring. Linker says Canvas makes it so easy to calculate and weight student scores – on individual and overall assessments – that it has come to function like a digital gradebook. In the future, he says he might start keeping an analog record of students’ grades, just in case.

Although Canvas has competitors like Blackboard, Linker says he doesn’t think any of them are less vulnerable to a future breach. And Tobac agrees.

“The problem is not that this website experienced this cyber event, right? Because nothing in this world is inviolable,” she says. “The thing we need to think about is disaster recovery: how can we continue to operate in the event of a cyber event and how can we do our best to keep bad actors out? »

Tobac says this week showed that many institutions don’t have a clear plan for how students and faculty can connect and access course materials without Canvas. She said these plans are expected to vary depending on schools’ different circumstances and schedules – which could explain why some are carrying out exams as usual while others are abandoning exams altogether. But she would like them to approach the immediate consequences with a common goal.

“We need to treat people with dignity and respect,” says Tobac. “And I hope that this is something that institutions will do, within their deadlines and constraints.”