FEATURED
Attack affected education platform Canvas, used by thousands of schools
LYNCHBURG, Va. — Canvas, the learning management software used on campuses across the country, experienced nationwide outages as a result of a major cyberattack Thursday, stalling final grades and postponing exams at Liberty University and other institutions.
Students who accessed the platform encountered a ransom note (pictured) from the hacking group ShinyHunters. The note threatened to leak personal information to the dark web if institutions did not negotiate settlements by the end of the day May 12.
Although the platform was back up and running Friday, the temporary outage caused chaos on campuses at a time when many students are taking finals.
At Liberty, a private evangelical Christian institution in Virginia, students expressed worries about the impact that the outage would have on assignments and final semester grades.
“I really wanted an A in my class, and now I can’t turn in a 200-point assignment,” sophomore Wes Richardson told The College Fix on Thursday during the outage. “And it’s kinda hitting me, I want my GPA to go up.”
Other higher education institutions all across the country, including Harvard, MIT, Stanford, Duke, UCLA, Northwestern, and the University of Pennsylvania also were affected, prompting messages from professors and administrators about finals and class projects.
Damon Linker, a UPenn lecturer in political science, explained how the cyberattack affected his classes in an X post Thursday. In another post Friday, Linker wrote that the platform was working again.
Shortly after the attack, some Liberty students reported seeing an alternative Canvas login page when accessing the site. University administrators warned students that the page could be fraudulent and urged them not to log in.
Officials also reassured students that accommodations for finals and class projects would be made.
“We understand the impact this disruption is having and want to reassure you that appropriate class extensions will be provided,” the Liberty administration said Thursday in a campus-wide email. “We will share more specific guidance as soon as we have clarity on the duration of the outage.”
Professors and graduate student assistants at Liberty were advised to continue administering non-digital finals, while postponing online finals to a later date.
Not only did the outage lead to interruptions for exams, but the attack also posed significant risks to private data.
Liberty leaders reported taking proactive measures to mitigate data privacy risks while working with Instructure, the company that runs Canvas, to resolve the issue on campus.
On Thursday, the Information Services Department redirected web traffic from the Canvas domain to the university website to protect internal networks and devices.
In a public service announcement to students, university administration stated that they were taking measures to address the outage as well as security precautions, including stricter Multi-Factor Authentication changes.
“This is an added layer of security; we have no reason to believe any Liberty University authentication accounts were touched in the Canvas breach,” the statement read.
Canvas is the online platform that hosts class content, student grades, and educational resources for nearly 9,000 grade schools and universities worldwide.
The company Instructure told CBS News in a statement Friday that it took Canvas offline after realizing that hackers had “made changes to the pages that appeared when some students and teachers were logged in,” exploiting an issue related to its Free-For-Teacher accounts.
“As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts,” the company stated. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
Instructure reported earlier this week that potential leaked information includes names, email addresses, student ID numbers, and user messages, but the company “found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”
Instructure says that investigations into the extent of the issues are underway with the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and international law enforcement partners.
ShinyHunters is an extortion group with a history of breaching company websites and online databases via misconfigurations and AI-powered voice phishing attacks, according to an article at DC Control, a tech company. The group demands ransoms and leaks data on dark web forums if unpaid, totaling over 73 million records stolen, tech news site ZD NET reports.
The group has conducted similar attacks against AT&T, Ticketmaster, Santander, Qantas Airlines, Google Salesforce and the human resources platform Workday among others since 2019.
MORE: Penn professor uses AI to generate sociology module, suggests shift in higher ed learning
