Canvas, an education platform used by nearly half of all schools and universities in North America, was taken offline for several hours on Thursday after an apparent cyberattack, its owner said.
A hacking group called ShinyHunters claimed responsibility for the breach, potentially jeopardizing the personal data of millions of students and teachers preparing for final exams.
According to Infrastructure, the company that owns Canvas, the data includes “certain personal information,” including “names, email addresses, student ID numbers, and messages among Canvas users.”
But the company said there is currently no evidence of compromised passwords, dates of birth, Social Security numbers or financial information.
Late Thursday, Infrastructure said Canvas was “fully back online and available for use,” adding that it had notified the FBI and U.S. Cybersecurity and Infrastructure Security Agency (CISA), and an investigation into the incident is ongoing.
More than 8,000 universities and K-12 schools use Canvas to manage course assignments, grades, notes and messages among students and faculty. Several prominent universities, including Harvard, Columbia, Michigan and North Carolina, sent notifications to students and staff alerting them of the breach. Several schools said they were pushing back finals as a result of the outage.
Who are ShinyHunters and what do they want?
Little is known about the hacking group, which the Associated Press described as “a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom.”
It has claimed responsibility for dozens of other cyberattacks, including one against Ticketmaster in 2024.
According to Ransomware.live, a website that tracks such hacking groups, ShinyHunters posted a ransom letter on May 3 claiming that it had accessed data from more than 275 million people across nearly 9,000 schools, including “several billions of private messages among students and teachers.”
The group threatened to leak the trove of data, giving deadlines of May 6 and May 12 for Infrastructure to “reach out” and pay an unspecified amount. The group also encouraged affected schools to “negotiate a settlement.”
In an incident update to its website, Infrastructure said that Canvas is safe to use.
“Our external forensic partner has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform,” the company said.
