Canvas Goes Dark, Hackers Threaten Data Leak Days Before Finals
City College's instructional platform is down as a cybercriminal group threatens to release millions of Canvas users' data
A cybersecurity breach disrupted Canvas access for City College students on Thursday after the cybercriminal group ShinyHunters posted a threatening message across the platform, escalating a data breach that may affect millions of users nationwide.
City College appeared on a list of affected schools published by ShinyHunters, a copy of which was archived on the Wayback Machine. The college has not publicly addressed whether its students' or employees' data was specifically compromised.
The Office of Student Affairs confirmed the disruption in a 1:45 p.m. email to students, writing that Canvas "is currently experiencing a widespread outage and will not be available until Instructure resolves the issue." The college said it is monitoring the situation, but that a fix is dependent on Instructure, the company that operates Canvas.
The outage comes less than a week before City College's spring final exams begin on May 13. It remains unclear how a prolonged disruption could affect exam schedules, assignment submissions or access to course materials during the critical end-of-semester period.
According to the California Community Colleges Security Center, Instructure detected the intrusion on April 29. The Security Center has been tracking the incident since May 1 in coordination with the CCC Chancellor's Office, calling it a "vendor level incident, not a targeted attack on any individual college."
ShinyHunters first claimed to have stolen data from Instructure on May 3, saying the group had compromised information belonging to an estimated 275 million users across roughly 9,000 schools. On Thursday, the group posted a message directly on Canvas dashboards warning that it would release stolen data by May 12 if its demands were not met. The message was replaced by a "planned maintenance" notice shortly after.
According to Instructure, the compromised data may include names, email addresses, student IDs and messages exchanged on the platform. The company reported finding no evidence that passwords, financial records, dates of birth or government identifiers were accessed.
The CCC Security Center also warned Thursday that some users have received scam emails from the group claiming to have monitored their web browsing activity and demanding Bitcoin payment within 48 hours. The center advised students to delete such messages immediately and avoid clicking any links or attachments.
The UCs and CSUs are reporting similar disruptions, as are higher education institutions across the country.
Students with concerns should monitor Instructure's status page and watch for phishing emails.
This is a developing story.
