A cyber attack has crashed the end-of-year academic party at universities and schools across the US, Canada, and Australia, courtesy of the hacking group ShinyHunters. The group claimed responsibility for taking down Canvas, the academic software owned by Instructure and used by thousands of institutions, causing chaos just as students were trying to prove they'd learned something this semester.
By late Thursday, Instructure posted an update saying Canvas was "available for most users," but some universities were still reporting outages on Friday. The attack affected an estimated 9,000 institutions globally. Mississippi State University postponed Friday's final exams to give affected students a chance to recover lost work - a move that probably made them the most popular university in America for about five minutes.
Aubrey Palmer, a meteorology student at Mississippi State, told the BBC she had just finished a 2,900-word exam essay when a ransom note appeared on her screen. The message read: "Shiny Hunters has breached Instructure (again)." It threatened to release stolen data unless Canvas or the affected universities paid a ransom in bitcoin. Palmer's first thought was that she'd been hacked personally, but then she realized the entire room of students and her professor had received the same message. Frustration quickly spread, with Palmer "so angry at the idea of having to redo" her exam - a sentiment that likely resonated with anyone who's ever written a 2,900-word essay.
The University of Sydney told students on Friday that "Canvas was unavailable" and instructed them not to attempt to log in, acknowledging they were one of approximately 9,000 institutions impacted and waiting for advice from Instructure. Idaho State University cancelled exams scheduled after 12:00 local time (18:00 GMT) on Thursday. Penn State University told students that "no one has access" to Canvas and that a resolution was unlikely within the next 24 hours, cancelling some exams. The University of British Columbia in Vancouver informed students that Canvas was "unavailable due to a cyber breach of its parent company Instructure" and advised them to log out immediately. The University of Toronto reported it was impacted, saying "multiple universities were affected." Students at UCLA struggled to submit assignments, and the University of Chicago temporarily disabled its Canvas page after reports it was targeted.
The Chicago Maroon posted a screenshot of a message from ShinyHunters seeking a ransom, encouraging the university to contact the group privately "to negotiate a settlement" and avoid the release of data. Northwestern University masters student Jacques Abou-Rizk received the same message when he clicked a link in an email that appeared to be from a university administrator. "I didn't know what was happening," Abou-Rizk recalled. "It's a scary message to receive." The university sent a generic email saying it was "monitoring an issue" and did not have an estimated restoration time for Canvas. Abou-Rizk said he was still unable to access Canvas on Friday and hasn't heard from the university since, expressing anxiety about completing his work and not knowing what data might be released.
ShinyHunters has been linked to previous high-profile attacks, including a major hack on Jaguar Land Rover last year. Luke Connolly, a threat analyst at cybersecurity firm Emisoft, told the Associated Press that screenshots show the targeted threats began on Sunday, with deadlines given on Thursday and 12 May, and that discussions regarding extortion payments could be ongoing. The group hasn't said what it plans to do with the data it claims to have taken.
The cyber attacks came the same day that top US Senate Democrat Chuck Schumer sent a letter to the Trump administration urging more defense against cyber risks in the age of rapidly developing AI. The Department of Homeland Security "must immediately help states and localities," Schumer wrote, "before Americans are hit with outages, disruptions, and attacks that could put lives and livelihoods at risk." Because apparently, the only thing more disruptive than a ransomware attack is having to explain to your professor that a hacker, not the dog, ate your homework.