MUNCIE, Ind. (The CI) - Canvas, an online learning system used by several universities and K-12 schools, has been hacked by the ShinyHunters group.
Here’s what we can confirm.
According to Canvas’ parent company, Instructure, on April 29, the company “detected unauthorized activity in Canvas,” “revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts.”
On May 3, ShinyHunters shared a ransom note on ransomeware.live, alleging over 3.65TB of data from “nearly 9,000 schools worldwide,” “275 million individuals,” “several billion […] private messages,” as well as a breach of Instructure’s Salesforce system. The post noted a deadline for May 6.
On May 5, Instructure said they “notified impacted organizations” of the breach.
On May 7, CNN stated when a student at the University of Washington logged in to Canvas at noon, they were “greeted by a message from the hacking group ShinyHunters, which claimed to have ‘breached’ the platform’s parent company, according to a screenshot obtained by CNN.”
While the screenshot wasn’t shared in the article, numerous photos from students have been circulating on social media.
When MIMS visited the link in the screenshot for an alleged list of affected institutions, the link didn’t work.
When MIMS visited ShinyHunters’ website over the Tor network, we were presented with a press statement, reading “We are not commenting and have no further comment to make regarding this global incident.”
As of May 8, MIMS has not publicly seen any available download for this breach.
While MIMS can’t verify the message circulating social media independently, when we visited Ball State University’s Canvas site at 5:56 p.m., we were greeted with the following screen, reading, “Canvas is currently undergoing scheduled maintenance[.] Check back soon[.]”
Instructure states they “identified additional unauthorized activity tied to the same incident,” and “[t]he unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas.” The company said they “temporarily took Canvas offline into maintenance mode to contain the activity, investigate, and apply additional safeguards.”
CNN stated, in a note on May 7, ShinyHunters “gave schools impacted a May 12 deadline ‘to negotiate a settlement.’”
MIMS is unable to find and independently verify this note.
In an email sent to Ball State students on May 8, the University stated data “potentially involved appears limited to names, email addresses, and student ID numbers,” and, at this time, “there is no indication that passwords, financial information, or government identifiers were compromised, or that Ball State credentials were exposed.” The University reminds students to be cautious of phishing scams.
Instructure said “the unauthorized actor” exploited “an issue related to our Free-For-Teacher accounts,” and “made the difficult decision to temporarily shut down Free-For-Teacher accounts.”
The CI has contacted Ball State Associate Vice President of University Communications and Digital Strategy Greg Fallon for comment, specifically to verify if the University was affected.
Muncie Community Schools Chief Communications Officer Andy Klotz verified MCS does not use Canvas and was not affected.