Canvas Cyberattack During Finals: Key Questions Answered

As students across the United States prepared for final exams, a sudden cyberattack on the online learning platform Canvas caused widespread disruption. The attack, later claimed by the ransomware group ShinyHunters, forced Instructure—Canvas's parent company—to take the platform offline temporarily. With millions of users potentially affected, here are the essential questions and answers about what happened, what data was compromised, and how institutions and students have responded.

What exactly happened to Canvas during finals week?

On a Thursday during the peak of final exam season, Canvas experienced a significant cyberattack that knocked the platform offline. Instructure detected unauthorized activity in its network and made the decision to temporarily shut down Canvas to contain the threat. This meant that students and teachers suddenly lost access to course materials, assignments, and—most critically—their final exams. The outage caused chaos at schools and colleges across the country, with many scrambling to find alternative ways to administer tests. By Friday morning, Instructure announced that Canvas was back online, but the incident had already disrupted thousands of exams and left many questioning the platform's security.

Who was behind the attack on Canvas?

The cyberattack was claimed by a ransomware group known as ShinyHunters. On its dark web site, the group took credit for the breach, stating that it had stolen data from approximately 275 million individuals associated with 8,800 schools. This group is notorious for targeting large databases and has been linked to previous high-profile data breaches. Interestingly, Instructure revealed that the same threat actor was responsible for a data breach disclosed just a week earlier, suggesting that the attack on Canvas may have been part of a broader, ongoing campaign against the company.

What types of data were compromised in the breach?

According to Instructure, the data accessed by the attackers included user names, email addresses, student ID numbers, and messages exchanged on the Canvas platform. However, the company emphasized that there is no evidence that more sensitive information was taken. Specifically, passwords, dates of birth, government identifiers, and financial information were not involved. While this may be reassuring, the exposure of email addresses and student IDs still poses risks, such as phishing attacks or identity theft attempts targeting students and faculty. Instructure advised users to be cautious of suspicious messages and to change passwords as a precaution.

How did schools and students react to the outage?

The timing of the attack could not have been worse. With final exams underway, schools and colleges had to act quickly. Many announced extensions for exam submissions or switched to offline methods. Students expressed frustration on social media, fearing that their grades would be affected or that they would lose access to study materials. Some institutions had contingency plans in place, but the suddenness of the outage left many scrambling. The disruption highlighted the heavy reliance of modern education on online platforms and the vulnerability of such systems to cyber threats. As noted earlier, the platform was restored by Friday, but the incident underscored the need for better security and backup plans.

Was this attack related to a previous breach?

Yes, Instructure confirmed that the same threat actor behind this week's Canvas outage was also responsible for a data breach the company disclosed just a week prior. That earlier breach exposed similar types of user information. The connection suggests that ShinyHunters had been targeting Instructure's systems for some time and that the latest incident may have been an escalation or a follow-up to gain more data or cause greater disruption. The repeated nature of the attacks raises concerns about whether Instructure has fully addressed the vulnerabilities that allowed the initial breach to occur. As detailed above, the data accessed includes personal identifiers, so the impact could be cumulative.

What steps should students and institutions take now?

Following the attack, Instructure advised all users to reset their Canvas passwords—even though passwords were not reportedly stolen—as a precaution. Students should also enable two-factor authentication wherever possible. Be wary of phishing emails that might reference the breach and ask for personal information. Institutions should review their incident response plans and consider offline backups for critical exam materials. Additionally, monitoring accounts for unusual activity is crucial. While the full extent of the data misuse is unknown, staying vigilant can mitigate potential harm. For a refresher on what was exposed, see our data compromise section.

Who are ShinyHunters and why is this significant?

ShinyHunters is a ransomware group that has been active since at least 2020, known for targeting the education sector and large corporations. They often exfiltrate data and then demand a ransom, threatening to release the data publicly if not paid. Their claim of stealing data from 275 million individuals across 8,800 schools makes this one of the largest education-related data breaches on record. The group's focus on Canvas, a platform used by millions of students and teachers, underscores the vulnerability of widely adopted digital tools. This incident serves as a stark reminder that even essential services are not immune to sophisticated cyber threats.