Canvas cyberattack disrupts universities

Canvas is the software layer a lot of colleges run on. Assignments live there. Grades live there. Class announcements live there. So when Canvas went sideways on Thursday, May 7, the problem was not “some website is down.” It was the academic workflow for thousands of schools getting jammed during finals. Instructure, the company behind Canvas, says attackers changed pages some students and teachers saw when logging in, and it put Canvas into maintenance mode before restoring service for most users later that night. (status.instructure.com) ### What actually broke? The immediate disruption was the login and course-access layer. Instructure’s status page shows Canvas, Canvas Beta, and Canvas Test were placed into maintenance mode on May 7, with investigation starting at 14:41 MDT and service returning for most users at 21:17 MDT. That meant students could lose access to assignments, lecture materials, and submission portals right when many campuses were in exam mode. (status.instructure.com) ### Was this a new hack? Not exactly — it looks like the visible outage was the second phase of the same incident. Instructure says it detected unauthorized activity on April 29, revoked access, brought in outside forensic experts, and then found “additional unauthorized activity” on May 7 tied to that same breach. The May 7 activity is what turned a back-end security problem into a front-end outage everyone could see. (instructure.com) ### What data may have been taken? The current picture is bad, but not worst-case bad. Instructure and universities relaying its notice say the data involved may include names, email addresses, student ID numbers, and messages sent inside Canvas. They also say they have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. That distinction matt(instructure.com)ll sensitive, especially if criminals use them for extortion or phishing. (techservices.illinois.edu) ### Who is claiming responsibility? A criminal group called ShinyHunters is being named across campus alerts and cybersecurity reporting as the actor claiming the breach. California’s community college security center said the group was trying a “pay or leak” extortion approach, and BleepingComputer reported the campaign involved defaced Canvas login portals at hundr(techservices.illinois.edu) was pressure applied in public. (cccsecuritycenter.org) ### Why did campuses tell people to stay off Canvas? Because “mostly back up” is not the same thing as “safe to use.” Illinois told users on the night of May 7 not to access Canvas until the university gave formal direction, even as broader service began returning. California community college security officials made a similar call, urging districts to suspend access until Instructure could p(cccsecuritycenter.org)nct in a live incident — availability comes second to trust. (techservices.illinois.edu) ### Why does this hit so hard during finals? Because Canvas is not just a classroom website anymore. It is the submission box, the gradebook, the message board, the quiz engine, and often the backup plan that replaced older backup plans. When one vendor sits in the middle of all of that, a single compromise can freeze normal operations across thousands of institutions at once. The concentration risk is the story here as much as the hack itself. (techservices.illinois.edu) ### What should students and faculty watch for now? Phishing and scam follow-ons. California community college officials warned that users were already getting extortion emails claiming hackers had monitored their browsing and demanding Bitcoin. Mississippi State separately warned users not to trust unverified third-party Canvas messages or remediation links. The pra(techservices.illinois.edu)ol’s official IT guidance. (cccsecuritycenter.org) ### Bottom line? This was a cyberattack on a shared academic utility, and that is why it felt bigger than a normal outage. Instructure says the incident is contained and Canvas is available for most users, but the hard part starts now — figuring out exact data exposure, cleaning up trust, and proving that one compromised vendor does not have to take half the semester with it. (status.instructure.com)