ShinyHunters breach of Canvas disrupts universities during exams

ShinyHunters breached the Canvas learning platform, defaced login pages at hundreds of institutions and claimed to have taken 275 million records. The incident disrupted universities in the United States, the United Kingdom, Canada, Australia and New Zealand and led some campuses to delay exams.

Instructure, the developer of Canvas, confirmed a security breach on May 1 and reported it took steps to contain the incident. The company reported that exposed information is believed to include names, email addresses, student ID numbers and messages between users. Investigators, according to Instructure, found “no evidence that passwords, dates of birth, government identifiers, or financial information were involved.” Instructure said the incident appeared largely contained on May 2 before a follow-up attack altered login screens at hundreds of institutions.

Security analysts who reviewed the follow-up activity said attackers injected HTML that changed login pages to display a ransom warning and set a deadline of May 12 for publication of stolen data. The group claimed roughly 3.65 terabytes of data spanning 275 million records from 8,809 institutions. Researchers described the activity as an extortion approach that pressures victims to pay to avoid public disclosure rather than one that uses file-encrypting ransomware.

Several universities reported service outages and disruptions to student work. A number of British institutions, including Oxford, Birmingham and Edinburgh, reported problems; Birmingham has since restored operations while Oxford warned staff and students that Canvas remained offline with no confirmed return date. In the United States, Mississippi State University postponed exams after students could not access course materials. An Australian university advised students not to log in while systems were unavailable. Students at affected campuses reported contacting instructors for attachments and arranging alternate exam plans.

Canvas is used by more than 8,000 institutions and about 30 million active users for course materials, assignment submission and exam administration. Universities are working to restore access while investigating the scope of the breach and notifying people whose information may have been exposed. Instructure has been contacted by multiple institutions as they coordinate remediation and communications for affected users.

Instructure’s chief information security officer, Steve Proud, reported that investigators moved quickly to contain the incident and that security teams continue to examine whether additional types of data were exposed.