The College assignment database, Canvas by the company Instruction, was reportedly hacked and taken offline just when finals for the majority of schools are set to take place. This understandably puts a lot of stress on not only the students but also the educators who rely on these systems. This attack revealed how dependent certain industries are on one product to operate, leading to a potentially catastrophic disruption.
Canvas is a course management system that supports online learning and teaching. It allows instructors to post grades, information, and assignments online. Canvas offers discussion boards, chat rooms for live discussions, centralized email (so you can stay in touch with your instructor and communicate with other students), and even a way to submit assignments and take exams. (1)
On May 7th, as many schools were beginning to wind down for the semester and finals were around the corner, Canvas, a program created by the company Instruction, unexpectedly went down. At first, it was assumed to be overload due to the fact that many semesters were beginning to end. But it was later determined that a hacking group, ShinyHunters, had compromised their systems twice, once on April 29th and again on May 7th, leading to vast disruptions just as schools were getting ready for finals.
The hacking group that claimed responsibility for the Instructure data breach, said it had accessed data from more than 275 million people across nearly 9,000 schools, according to a ransom letter shared on May 3 by Ransomware.live, which monitors ransomware groups. (2) The data compromised includes student Ids, emails, and even the messages between users. They issued a demand that they pay up by May 12th or there would be more data leaked. As of May 8th, it appears that the network is back up but many schools had to postpone their finals due to the chaos caused.
This is not the first time ShinyHunters has claimed credit for a breach this year. On March 12th, Telus Digital, the digital services arm of the Canadian telecommunications, Telus, revealed that that their network had been compromised as early as January, perhaps even longer. The perpetrators of this attack was the group shiny hunters. “ShinyHunters” said they discovered Google Cloud Platform credentials for Telus in the Drift data and used them to access numerous company systems, including a large BigQuery instance. In all, ShinyHunters claimed to have stolen close to 1 petabyte of data belonging to the company and many of its customers, many of whom use Telus Digital as a BPO provider for customer support operations. (2)
In this case, the group exploited the Free for Teachers feature that Canvas uses to let teachers create their accounts for their use. Based on Instructiure’s forensics, they more than likely spoofed an actual teacher when talking to their customer service team, an increasingly common tactic among hackers today. This was the determination on their April 29th breach when they were found quickly and kicked out. Evidently, they found another attack vector exploiting a similar vulnerability. According to PCmags Michael Kan, “The outage has likely dealt a major reputational blow to Instructure and Canvas. Malware research and library service VX Underground notes that it doesn’t appear ShinyHunters stole highly sensitive information, only names and school-related email addresses. Nevertheless, the breach exposed details about underage students since Canvas is also widely used by K-12 school districts.
“Presumably, parents will be outraged, and this will inevitably result in a lawsuit against the schools or Canvas,” VX Underground adds. In the meantime, some universities are delaying final exams due to the Canvas outage. The stolen messages between students and teachers over Canvas could also expose sensitive details.(3)
This breach exposes a much bigger problem in the cyber ecosystem. Many industries rely on one or two different programs. When they go down, everyone who relies on these systems is affected. We saw this with the Crowdstrike outage in 2024, shutting down many airlines around the world due to a flawed update. As shown here, over 30 million students and teachers, up and down the educational ladder was affected.
The Canvas system is an amazing tool for teachers and students alike. But as seen by the recent attack, it’s just as vulnerable to hackers as any other. Attacks during Finals week adds stress to both faculty and students creating havoc at a crucial time. This also exposes how easily a network can be brought down if they solely rely on a single program.
For more information about cybersecuirty feel free to visit our website: https://www.plrisk.com/products/cybersecurity/