Canvas shut down worldwide on May 7 after a hack by cybercriminal group ShinyHunters displayed a warning message that student data could be distributed if Instructure, Canvas' host, did not reach out to them by May 12. The message displayed across campus Canvases around 3 p.m., just hours before University of Wisconsin-Madison’s last day of finals.
In the pop-up message on Canvas, ShinyHunters encouraged affected schools to consult a cyber advisory firm and contact the group directly using instant messaging app Tox, before “everything is leaked” at the end of the day May 12.
The hack follows a May 1 hack of Instructure, Canvas’ host, that compromised student names, email addresses and ID numbers. The hack did not include passwords, dates of birth, government identifiers or financial information, according to an Instructure statement.
UW-Madison’s Canvas does not contain student ID numbers, dates of birth, government identifiers or financial information.
Instructure confirmed the May 1 breach but called Canvas “fully operational” in a statement posted on Thursday.
According to a May 5 TechCrunch article, ShinyHunters stole 231 million unique emails from Canvas and Instructure later said they “deployed patches to enhance system security” and increased monitoring.
Students with upcoming finals expressed concerns about their ability to access preparatory materials.
“All my study materials and curriculums are on Canvas,” Milo Ascher, a UW-Madison student who has a Friday physics final, told The Cardinal. “I feel like I’m going to have a hard time finding all of the specific materials we’re going to be tested on.”
Jack Keller, a student who was in the middle of Microbiology 303 exam taken through Canvas, told the Cardinal he was kicked out of Canvas mid-final.
ShinyHunters is a hacker group founded in 2019 and notorious for large-scale data breaches of highly-used tech. Over 9,000 schools have been affected so far, the hacker group claimed — including all Ivy League schools.
Over 41% of schools across North America use Canvas, and hundreds of millions of students and teachers were affected by the breach. The University of Minnesota and all other Universities of Wisconsin campuses were also affected.
Students are still able to access courseware like Gradescope, but Ascher said his Cengage logged him out and said it could not find his course enrollment.
The group also recently hacked video-hosting app Vimeo, educational-technology company Infinite Campus and customer-sales app Salesforce. They also claimed to have accessed data from textbook publisher McGraw Hill.
Editor's Note: This story was edited at 5 p.m. on May 7 to reflect that Canvas is down worldwide.
This is a developing story.
Sonia Bendre is the campus news editor for The Daily Cardinal. You can reach her at sonia.bendre@dailycardinal.com.
