Canvas, the cloud-based learning management system used by over 8,000 schools including all top ten U.S. colleges, has been hacked. The group Shinyhunters claims responsibility and has given parent company Instructure until May 12 to pay a ransom or see all data leaked.
Reports of outages are coming in nationwide, with over 8,000 complaints logged on Down Detector.
A similar breach in late April exposed names, email addresses, and student IDs. Instructure deployed patches on May 2, but Shinyhunters referenced this in a ransom note left on the Canvas login page. The group claims its previous hack totaled 3 terabytes of data, affecting 275 million users at nearly 9,000 institutions.
Instructure says no financial data, passwords, or Social Security numbers were compromised. Users are advised to change passwords, enable multi-factor authentication, watch for phishing emails, and monitor credit reports.