Beginning in the late afternoon of May 7, the Canvas website and mobile application became unavailable to students across the country. The shutdown was a result of a cyber attack on Instructure, the company behind Canvas. Following the shutdown, the hacking group ShinyHunters claimed responsibility for the crash.
Since it was founded, ShinyHunters has been involved in attacks on dozens of companies, including Microsoft, Bonobos, AT&T, Santander, Ticketmaster, Qantas, Grubhub and a handful of universities. The group’s cyber attacks mostly involve stealing companies’ or their users’ data and demanding ransom payments in exchange for returning and refraining from leaking the data.
Thousands of high schools and universities use Canvas for organizing assignments, communicating with students and administering classes.
Starting around 4 p.m. EST, Canvas displayed a message informing students it was “undergoing scheduled maintenance.” The platform began working again at around 10:30 pm EST.
According to Inside Higher Ed, students at many institutions reported receiving an earlier message stating, “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’” The message also provided a link to a list of schools affected by the hack, prompting administrators to “consult with a cyber advisory firm and contact [the group] privately at TOX.”
ShinyHunters later published a letter on the website Ransomware.live ransoming “several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other [personal identifying information].”
ShinyHunters gave Instructure a deadline of May 12 to pay the ransom, threatening to leak students’ personal information and data if it was not met.
On May 8, ShinyHunters posted on RansomLook, “Instructure ha[d] not even bothered speaking to us to understand the situation or to even negotiate with us to prevent the release of this data.” However, by May 11, Instructure paid an undisclosed amount of money as ransom, ensuring that the data of students and educators at almost 9,000 institutions was no longer at immediate risk of being leaked.
Sophomore Felix Pacheco Lynch said that the ability of ShinyHunters to declare deadlines and ransoms “is quite discomforting.” He added “that any mal-intentioned actor can just hack large companies and hold them for ransom” for large sums of money.
Sophomore Jigme Kim, described the attack as deeply concerning and a “wakeup call to educational institutions to institute real technological defense mechanisms.” Similarly, junior Harold Wyatt described the experience as “shocking” to him and said it “damaged his trust” in the software Sidwell and other schools heavily rely on.
Sophomore Seiji Nyhan viewed the hack differently, saying, “[Canvas] was not down for too long and it went back up successfully, so there is no real worry; many other institutions have also been hacked before.”
While Canvas was down, students could not access their class pages, preventing them from viewing assignments or other information necessary for class. Pacheco Lynch was frustrated by this “because it did not allow [him] to complete [his] work.” He added that he felt that the outage impeded students’ ability to study for assessments the next day without access to the course information.
Sidwell did not offer any official communication clarifying expectations for completing work. However, many teachers individually sent their students emails providing information on homework. Sophomore Rafae Niazi said that “there were different expectations for different classes, and I think there could have been more clear central communication.” He added that his teachers were generally “understanding” of the situation.
Some Sidwell students took the opportunity to relax. Sophomore Andrew Kim said he “was pretty happy about the Canvas shutdown because it was an excuse to not do homework.” Sophomore Leo Zanello added that the shutdown was “very convenient.”