Higher education has long been the target of ransomware and data breach attacks. But never before, perhaps, has a cyberattack against a single software platform completely disrupted the daily operations of thousands of schools across the United States.
The widely used digital learning platform Canvas was put into “maintenance mode” on Thursday after its maker, education giant Instructure, suffered a data breach and suffered a phishing attempt by attackers using the popular moniker “ShinyHunters.” While criminals have been advertising the breach and trying to extract ransom payments since May 1, the situation has moved on quickly for ordinary people across the US and beyond on Thursday as the Canvas break has caused chaos in schools, including those in the midst of finals and end-of-year assignments.
Universities like Harvard, Columbia, Rutgers, and Georgetown have sent out warnings to students about the situation in recent days; other institutions, including school districts in at least a dozen states, also appear to be affected. In a published list of hackers who attacked their black sites focused on programming, they said the breach affected more than 8,800 schools. The exact scale and reach of the breach is currently unclear, however. And the fact that the Canvas was down all Thursday afternoon and evening made the picture difficult.
In an incident review letter dated May 1, Steve Proud, Instructure’s chief security officer, said the company “recently discovered a cyber security incident committed by a criminal threat actor.” He added on May 2 that “involved information” of “users at affected institutions” includes names, email addresses, student ID numbers, and messages exchanged by users on the platform.
The situation was finally marked as “Resolved” on Wednesday, proudly writing that “Canvas is fully functional, and we do not see any unauthorized activity going on.” However, as of midday Thursday, Instructure’s status page registered an “issue” where “some users are having trouble accessing student ePortfolios.” Within hours, the company added another status update: “Instructure has put Canvas, Canvas Beta and Canvas testing into maintenance mode.” On Thursday evening, the company said that Canvas is now available again to “more users.”
TechCrunch reported Thursday that hackers launched a second wave of attacks, defacing schools’ Canvas sites by injecting an HTML file to display their own message on schools’ Canvas login pages. According to The Harvard Crimson, the attackers modified the Harvard Canvas login page to display a message that included a list of schools the hackers said were affected by the breach.
A message from the attackers “urged the schools on the affected list to contact an online consulting firm and privately contact the group to negotiate a deal before the end of the day on May 12—or risk having their data leaked,” the Crimson reported. “It is unclear what information connected to Harvard affiliates was included in the alleged breach.”
The department did not immediately respond to a request for comment about Thursday’s outages and how they fit into the larger picture of violations. But the situation is significant given that a large amount of student information may have been exposed, and the nationwide visibility of the incident makes it an important example of the long-standing, yet ever-growing problem of data theft and ransomware attacks.
The name ShinyHunters is associated with massive data dumping and is linked to the notorious hacker group known as Com. But as the cast of characters has changed over the years, many attackers have taken on monikers that are more closely related to Com. A number of recent attacks have called for other names, such as Lapsus$, which have little or no connection to the original group operating under the name.
