Cyberattack on Canvas During Finals: Key Questions Answered

The recent cyberattack on Canvas, a widely used online learning platform, caused widespread disruption just as students were preparing for final exams. The attack, attributed to the ransomware group ShinyHunters, led to a temporary shutdown and exposed sensitive data. This Q&A covers the essential details, from what happened to how schools responded and what students should do now.

What exactly happened during the Canvas cyberattack?

On Thursday, a cyberattack targeted the online learning platform Canvas, which is used by schools and colleges across the United States. The attack occurred at a particularly stressful time—right when students were scheduled to take their final exams. Instructure, Canvas's parent company, detected unauthorized activity in its network and took the platform offline temporarily as a precaution. By Friday morning, Canvas was restored. The company identified the threat actor as the same group responsible for a data breach disclosed a week earlier. This attack caused chaos, disrupting exam schedules and leaving students and educators scrambling to adjust.

Who was behind the attack on Canvas?

The ransomware group known as ShinyHunters claimed responsibility for the breach. On its dark web site, the group stated it had stolen data from approximately 275 million people associated with 8,800 schools. This is the same group that Instructure previously linked to a data breach disclosed a week before the attack. ShinyHunters is known for targeting large platforms and selling stolen data. While the group claimed a massive data haul, Instructure confirmed that the access was limited to certain non-sensitive information. The company is working with law enforcement and cybersecurity experts to investigate the incident and prevent future breaches.

What type of data was accessed in the breach?

According to Instructure, the data accessed in the breach included user names, email addresses, student ID numbers, and messages exchanged on the Canvas platform. Crucially, the company stated there is no evidence that passwords, dates of birth, government identifiers (such as Social Security numbers), or financial information were compromised. This means that while the breach is serious, it does not expose the most sensitive personal data. However, the loss of student ID numbers and messages could still pose privacy risks, such as identity theft or targeted phishing attacks. Users are advised to be cautious of unsolicited communications and to monitor their accounts for suspicious activity.

How did schools and colleges respond to the disruption?

The timing of the attack—during final exams—caused widespread chaos. Many schools had to postpone exams or switch to alternative methods, such as offline tests or using backup systems. Instructors and administrators worked quickly to communicate with students and minimize disruptions. Some schools provided extended deadlines or rescheduled exams. The scramble highlighted the heavy reliance on digital platforms for education. In the aftermath, institutions have been reviewing their cybersecurity measures and contingency plans to better handle such incidents in the future. Students were urged to stay in touch with their schools for updates and to follow any instructions regarding rescheduled exams or data security.

Is Canvas safe to use now, and what precautions are being taken?

As of Friday morning, Canvas was back online and operational. Instructure said it temporarily took the platform offline to isolate the unauthorized activity and restore security. The company is working with cybersecurity experts to patch vulnerabilities and strengthen defenses. It has also advised users to reset their passwords as a precaution, even though passwords were not among the exposed data. Instructure is monitoring the situation closely and has implemented additional safeguards. For now, teaching and learning have resumed, but users should remain vigilant. It is recommended to enable multi-factor authentication where available and to report any suspicious activity to school IT departments.

What should students do to protect themselves after this breach?

Students who use Canvas should take several steps to protect their information and accounts. First, change your Canvas password and avoid reusing it for other services. Even though passwords weren't compromised, this is good practice. Second, be on the lookout for phishing emails or messages that may reference the breach—attackers might try to trick you into revealing more information. Do not click on suspicious links or download attachments from unknown senders. Third, monitor your email and other accounts for any unauthorized activity. Since student ID numbers and emails were exposed, consider using a credit monitoring service or identity theft protection if available. Finally, stay in contact with your school's IT department for any official updates or recommended actions.

What is ShinyHunters, and why are they targeting educational platforms?

ShinyHunters is a well-known ransomware and data extortion group that has been active since at least 2020. They specialize in breaching large databases and selling stolen information on dark web marketplaces. Their targets often include educational institutions, tech companies, and other organizations that hold vast amounts of user data. By attacking platforms like Canvas, they aim to extract a high volume of records—in this case, 275 million individuals—which can then be monetized. Educational platforms are attractive because they manage data for many users but may have varying levels of cybersecurity. ShinyHunters uses tactics such as exploiting vulnerabilities, phishing, or credential theft. This incident underscores the need for stronger security measures across the education sector.