A hacking group called ShinyHunters says it broke into Instructure, the company that runs the online classroom platform Canvas, for the second time this month. They stole millions of student and faculty records and cut off Canvas access for schools across Maryland and the United States.
What’s Happening: The attack began Thursday, May 7, when students attempting to log into Canvas were redirected to a message from ShinyHunters claiming credit for the breach. The hacking group threatened to release 3.65 terabytes of data allegedly stolen during its initial breach of Instructure on May 1 unless the company contacted them before May 12.
What Was Taken: The hackers say they took millions of records, including names, email addresses, student ID numbers, and private messages sent through Canvas. Instructure said it has not found any evidence that passwords, Social Security numbers, or financial information were taken, but the investigation is still ongoing.
How This Affects Real People: Canvas is the platform millions of students and teachers use every day to turn in assignments, check grades, take quizzes, and send messages. More than 8,000 schools and universities were reportedly affected. Some schools postponed exams and switched to backup systems while Canvas was down. Multiple Maryland institutions were listed among those hit, including:
- University of Maryland, Johns Hopkins University, Morgan State University, Howard University, and Georgetown University
- Montgomery County Public Schools, Howard County Public Schools, Prince George’s County Public Schools, Charles County Public Schools, and Baltimore City Public Schools
- Anne Arundel Community College, Carroll Community College, Chesapeake College, Howard Community College, and Baltimore City Community College
- The Maryland State Department of Education, Maryland University of Integrative Health, Maryland School for the Deaf, and the Judicial College of Maryland
- Harford County Public Schools, Frederick County Public Schools, and Prince William County Public Schools
Montgomery County’s Response: Montgomery County Public Schools announced May 8 that it temporarily disabled access to all teacher and student Canvas accounts following the recent cybersecurity concerns. District officials advised students and staff not to access Canvas until further notice and warned the community to be cautious of phishing attempts.
Where Things Are Now: As of May 8, many Canvas systems are back online after Instructure took parts of the platform offline to work on the problem. Instructure has not paid the ransom to ShinyHunters.
About ShinyHunters: Not much is publicly known about ShinyHunters, but the group has been active since 2020, with a track record of targeting companies for money through data theft and extortion. Previous ShinyHunters targets from the last five years include the EU Commission, Ticketmaster, Pornhub, GrubHub, and AT&T.
How to Protect Yourself: Here are several steps people can take when their personal data may have been exposed in a breach.
- Change your password on the website that has been breached and any other accounts that use the same password.
- Turn on two-factor authentication, a security setting that requires a second step, such as a text message code, to log in.
- Watch for phishing emails, which are fake messages designed to look real and trick you into clicking a link or giving up personal information.
- Do not click links in unexpected emails or text messages.
- Monitor your email account for unusual activity or login attempts you do not recognize.
Discover more from The Free State Press
Subscribe to get the latest posts sent to your email.