Instructure Takes Canvas Offline After Hack, Down Detector Surge Hits Schools
Instructure took Canvas offline globally for several hours on Thursday after additional unauthorized activity tied to the same incident appeared on the platform, and down detector reports quickly followed from schools trying to log in. The move hit a system used by hundreds of schools and universities across the globe during exam season, when assignment deadlines are hardest to miss.
Canvas and Instructure
Canvas returned on Friday after Instructure said it had identified the extra activity and moved the service into maintenance mode to contain it, investigate, and apply additional safeguards.
The company said the unauthorized actor exploited an issue related to the Free-For-Teacher accounts, which is a sharp reminder that a smaller account class can still become the entry point for a much larger outage.
April 25 breach
The chain started on April 25, when Instructure first experienced a data breach the company said was perpetrated by a criminal threat actor, and the data involved appeared to include personal information.
Instructure said it found no indication that passwords, dates of birth, government identifiers, or financial information were involved, and that it had revoked access and addressed the vulnerabilities on April 29 after detecting the attacker.
Schools on Thursday
Several school districts notified students on Thursday as the outage unfolded, including Davis School District, which said the Canvas system was currently down and that teachers would provide flexibility on due dates if assignment submissions were hit.
The hacker message that triggered the shutdown said, “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some 'security patches,'” and it demanded contact by May 12 before everything is leaked.
Instructure said Canvas is fully back online and available for use, but the unresolved question for school administrators is whether Free-For-Teacher accounts will come back without the same exposure that forced the global shutdown in the first place.
