ShinyHunters Lists Harvard in Instructure Canvas Breach, Shutting Down Access

Harvard students lost access to Canvas on Thursday afternoon after the cybercriminal group ShinyHunters listed the University among thousands of schools allegedly affected by a breach of Instructure, Canvas’ parent company.

“News As Yale Floats 3”

@thecrimson

The Harvard Crimson reported that around 3:30 p.m. the site began redirecting to a message from ShinyHunters claiming it had “breached Instructure,” and by around 4:20 p.m. it displayed “Canvas is currently undergoing scheduled maintenance. Check back soon.”

@thecrimson

The Harvard Crimson said both the Canvas mobile app and the web platform were inaccessible to Harvard users as of 4:30 p.m., while Instructure’s breach claims were tied to a deadline of May 12.

Instructure’s chief information security officer Steve Proud wrote in an incident update log that the company had “recently experienced a cybersecurity incident perpetrated by a criminal threat actor,” and he later said Canvas was “fully operational” and that it was “not seeing any ongoing unauthorized activity.”

Multiple outlets tied the disruption to ShinyHunters’ extortion attempt, with CBS News saying the hacking group named ShinyHunters claimed responsibility for the breach at Instructure, the company behind Canvas.

CBS News reported that Instructure posted to a status log that Canvas was “now available for most users,” while Penn State told students that “no one has access” to Canvas and that a “resolution” was not expected “within the next 24 hours.”

CBS News

The Harvard Crimson described how ShinyHunters’ message urged schools included on the affected list to consult with a cyber advisory firm and contact the group privately to negotiate a settlement before the end of the day on May 12.

WIRED reported that in a list published by the hackers they claim the breach affected more than 8,800 schools, while the exact scale and reach of the breach was “currently unclear.”

Instructure’s incident updates described the information involved for “users at affected institutions” as including names, email addresses, student ID numbers, and messages exchanged by users on the platform, according to WIRED’s account of Steve Proud’s log.

“Students attempting to access grades, study materials and quizzes were met instead with a message from a hacking group on Thursday”

CNN

WIRED also reported that Instructure later said it was “Resolved” on Wednesday, with Proud writing that “Canvas is fully operational, and we are not seeing any ongoing unauthorized activity,” even as the company had placed Canvas, Canvas Beta and Canvas Test in maintenance mode late Thursday.

The Cavalier Daily said an Instructure report stated the data involved “consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers [and] messages among users,” and it added that Instructure reported it “found no indication” that passwords, dates of birth, government identifiers or financial information were compromised.

Inside Higher Ed framed the broader stakes by quoting Doug Thompson saying, “Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once,” and it described ShinyHunters’ “PAY OR LEAK” pressure on Instructure tied to threatened disclosure of “Several billions of private messages among students and teachers.”