Canvas hacked on first day of finals, remains down as hackers demand settlement
A page is displayed with a message from the hackers when users try to sign in. (Screenshot: Rahil Chatterjee/Rutgers Canvas)
Rutgers Canvas was victim to a hack on Thursday, which was also the first day of finals, rendering the site inaccessible and unusable. Currently, the hacker’s message is gone, replaced by a Canvas maintenance screen.
Following the hack on Thursday night, Friday exams for May 8 have been postponed following an update from the New Brunswick Provost.
When logging in, users were greeted by a message, pictured above, with demands by the group. The group, called “ShinyHunters,” claimed that Instructure, the parent company of Canvas, had “ignored” the hackers after previous breaches.
The group also tells affected schools to contact a cybersecurity firm and the hackers themselves. The message continues by saying that Instructure and affected schools have until end of day on May 12 (although no time zone is given) before “everything is leaked.”
The message also links to a website users can find a list of schools the group claims to have affected. The list, a text file, seems to contain over 8,000 affected schools. Other files have names which seem to be pointed at Instructure’s leadership, including names regarding ransoms.
Initially, just the web version of Canvas affected, with the mobile app still working. However, the webpage now shows a Canvas maintenance screen, reading “Canvas is currently undergoing scheduled maintenance” and to “check back soon.” As of this change, the mobile app for Canvas is no longer working either.
Instructure’s status website says that Canvas, Canvas Beta and Canvas Test are currently unavailable, and that they are currently investigating the issue.
Rutgers IT had put out a statement earlier in the week, saying that Instructure had notified Rutgers that the University that it had been “impacted by a widespread data breach affecting thousands of institutions,” but that there was “no indication that passwords, dates of birth, government identifiers, or financial information were involved in this incident.”
ShinyHunters has an extensive history of hacks and databreaches they have either participated in or carried out dating back to 2020, including companies like Microsoft, Wattpad, AT&T, and Ticketmaster. The group has also hacked universities individually in the past, such as the University of Pennsylvania, Princeton and Harvard.
Michele Norin, Chief Information Officer for Rutgers, said that the university was “actively monitoring a global system of a third-party vendor, Instructure, that is currently impacting Canvas at thousands of institutions, including Rutgers” in a statement emailed to students.
The statement also added that the University “understands that student exams, project submissions, and other efforts may have been interrupted” due to the hack, and that it is “evaluating next steps following the interruption of Canvas during the exam period.” The statement ends saying that additional information “will be forthcoming” to students, faculty and staff.
Links have been censored to protect our audience.
This article has been updated following an announcement from the New Brunswick Provost that final exams on Friday, May 8 were postponed. Last updated May 7, 11:30 p.m.