Security incident hits Canvas as finals loom for students across US

Canvas, a cloud-based learning management platform used by thousands of schools and universities, was hacked and disabled for hours as students attempted to access their grades and other class materials on May 7, multiple news organizations and college student newspapers reported.

Colleges and universities across the United States, including the University of Michigan, Harvard University, and Pennsylvania State University, alerted on May 7 that Canvas had reported a security incident and was experiencing an outage. The incident disrupted classes, coursework, and exams amid spring finals week for many schools.

The hacking group ShinyHunters claimed responsibility for the data breach at Instructure, the parent company and creator of the Canvas learning management system, according to The New York Times and CNN. Instructure said Canvas has more than 30 million active users worldwide and over 8,000 institutions as customers.

In a ransom letter shared on May 3 by Ransomware.live, a platform that tracks and monitors ransomware groups, ShinyHunters said it had accessed data from over 275 million people — including students, teachers, and other staff — across nearly 9,000 schools worldwide.

By late May 7, Instructure said in a post on its status page that Canvas was "now available for most users." Earlier, the company said Canvas and other related sites had been placed "in maintenance mode" and it was "investigating an issue where some users are having difficulties logging into Student ePortfolios."