Thousands of schools and universities were offline on Thursday due to a cyberattack by the hacking group ShinyHunters, disrupting students’ final exams preparations and highlighting education’s reliance on technology. The group claimed responsibility for the breach at Instructure, which owns Canvas, the learning management system used by many institutions.
The attack affected several major universities including Penn State, University of Wisconsin-Madison, Columbia University, Union College New Jersey, Northwestern University, University of Chicago, University of Illinois Chicago, and University of Illinois. The outage also impacted schools in California and the Chicago area.
Pennsylvania State’s message to students stated that no one had access to Canvas, with a resolution not expected within 24 hours. All tests scheduled for Thursday and Friday at their Pollock Testing Center were canceled.
The Harvard student newspaper reported the system was down there as well. Public school districts also reassured parents, stating they are not aware of any sensitive data contained in this breach.
Canvas is used to manage grades, course notes, assignments, lecture videos, and more. The hacking group claimed nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed.
Screenshots provided by threat analysts showed the group began threatening to leak the trove of data on Sunday, setting deadlines for Thursday and May 12. This indicates ongoing discussions about extortion payments.
Instructure has not posted about the attack on its social media. The Canvas breach is similar to a PowerSchool breach where a Massachusetts college student was charged. ShinyHunters is described as a loose affiliation of teenagers and young adults based in the U.S. and the UK, also linked to other attacks including one against Live Nation’s Ticketmaster subsidiary.