A cyber-attack on Canvas, a learning management system used by thousands of schools and universities in the US, caused a nationwide outage on Thursday, disrupting final exams and end-of-year activities. Students and faculty reported being unable to access course materials, grades, and assignments, prompting panic and last-minute adjustments.
Universities including the University of Texas at San Antonio announced they were postponing finals scheduled for Friday in response to the outage. Virginia Tech acknowledged the impact on exams, while the University of Florida warned students to be vigilant for phishing messages purporting to be from Canvas. The University of New Mexico also sent alerts to its campus community.
Damon Linker, a senior lecturer at the University of Pennsylvania, described the situation as leaving students and faculty 'dead in the water here in academia right now'. His students had relied on Canvas for all readings and lecture slides ahead of their Monday finals. The student newspaper at Harvard University confirmed the system was down there as well, and Johns Hopkins University students received error messages when trying to view final grades.
The hacking group ShinyHunters claimed responsibility for the breach, according to Luke Connolly, a threat analyst at cybersecurity firm Emsisoft. Connolly said the group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed. Screenshots showed the group began threatening to leak the data on Sunday, with deadlines of 7 and 12 May, suggesting possible extortion negotiations.
Instructure, the company behind Canvas, did not respond to requests for comment. Connolly noted the attack was similar to a breach at PowerSchool, another learning management provider. ShinyHunters, described as a loose affiliation of teenagers and young adults based in the US and UK, has been linked to other attacks, including one on Ticketmaster.
