Education Platform Canvas Was Hacked. What Parents Need to Know | #hacker


Canvas, an education platform used by over 8,000 universities and K-12 schools in the U.S., was shut down for several hours on Thursday after a hacking group that calls itself ShinyHunters claimed responsibility and demanded a ransom.

“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at [communication software] TOX to negotiate a settlement,” the ransom note, shared widely online, said. “You have till the end of the day by 12 May 2026 before everything is leaked.”


The data breach possibly exposed the personal data of millions of students and teachers, according to various reports, leaving schools paralyzed and students, many in the midst of exams, scrambling.

By late Thursday, parent company Instructure announced on its website that Canvas back up and running for “most users.” On Friday, it noted that it was “fully back online and available for use.”

Higher education has long been a target of ransomware gangs and data extortion attacks,” noted Wired. “But never before, perhaps, has a cyberattack against a single software platform so thoroughly disrupted the daily operations of thousands of schools across the United States.”

Doug Thompson, chief education architect and director of solutions engineering for Tanium, a cybersecurity management company, told Inside Higher Ed, “This breach follows a clear pattern we’ve been watching for the last 18 months. Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once.”

So what does it all mean? Below, a quick explainer.

What Is Canvas?

The platform is an online educational IT system or learning management system (LMS), like Google Classroom, that’s used for online courses, study guides, and testing. Canvas is implemented by about 3,800 schools in America including 41% of universities such as Columbia, Princeton, and Harvard.

“With Canvas, the classroom is wherever, whenever, whatever you want it to be,” the explains a video on Instructure’s website, noting that it offers mobile apps for students, teachers, and parents. “With Canvas, classroom is a concept.”

Instructure is advising any affected parent, student, or employee to go to their local school as the “first point of contact” for updates. “In the meantime,” it suggests, “it is always a good practice to be cautious of unexpected email or messages referencing the incident, avoid clicking suspicious links, and report anything unusual to your school or institution’s IT or security team.”

Who Are ShinyHackers?

While it’s unclear who, exactly, is behind the hacking group, federal authorities have linked the name to several instances of high-profile breaches. The group has also claimed responsibility for hacking Ticketmaster and attempting to sell user data on the dark web in 2024, as reported by CNN.

Earlier this year, Mandiant, a Google-owned cyber-intelligence firm, reported activity similar to prior “ShinyHunters-branded extortion operations,” like the use of sophisticated voice phishing and fake, company-branded login pages to steal sensitive data for ransom.

“ShinyHunters is known for making English-language phone calls and impersonating employees to trick company employees into handing over access to their IT systems,” reported PC Mag, adding that just last month,  the group claimed responsibility for stealing data from Vimeo and ADT.

The latest school data breach is reportedly the second one claimed by ShinyHunters this month. In Thursday’s ransom note, the group referred to hacking “again” and faulted the company’s response to the previous attack: “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”

How Are Students Reacting?

Across social media and on Reddit threads, students seem to be either highly annoyed to have their studies interrupted or totally thrilled that they had an excuse to stop focusing for the day, with many heading straight to TikTok to share their feelings on the matter.

“Dude I use my Canvas password for everything this is so annoying,” one student posted on Reddit. Others chimed in with:

“What are the schools going to do…. switch to blackboard?”

“Chat I have a final project.”

“My final is due by Sunday. I truly hope they waive it for everyone and just pass us. I’m a constant victim of identity theft, at this point they should just pass us this semester. The damage from this is going to blow.”

“Bro…I HAVE A FINAL DUE TODAY.”

Allison Park, a junior at the Massachusetts Institute of Technology, told CNN that professors were scrambling to locate students’ emails. “The fact that this one website was the link between teaching staff and students outside of class – I didn’t realize how big of a dependency we had on it until they were scrambling to find our emails,” she said.





Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW