Cyberattack on Canvas platform disrupts finals for Bay Area students

TAMPA, Fla. - A cyberattack targeting one of the nation’s most widely used education platforms caused disruptions for millions of students and teachers this week, including many across the Bay Area.

The backstory:

Canvas, an educational software platform used by thousands of schools and colleges nationwide, experienced a major outage Thursday after hackers targeted its parent company, Instructure.

The platform is used by more than 8,000 colleges, universities and K-12 schools for coursework, assignments, grades and communication between students and teachers.

The outage came during final exam week for many schools, leaving students unable to access assignments, study materials or grades.

At the University of South Florida, student Cameron Cross said he was trying to submit a paper when the system went down.

What they're saying:

"I couldn't access any of my classes or anything, so I had no way to submit my paper when it was done," Cross said.

Students across the country reported similar issues on social media, while some schools worked to delay exams or find alternative ways to communicate with students.

According to Instructure, the compromised data included email addresses, student ID numbers and messages among Canvas users.

The company said the breach did not expose passwords, financial information, dates of birth or government identifiers such as Social Security numbers.

Impacted schools included USF, St. Petersburg College, the University of Florida and several Bay Area school districts, including Hillsborough, Pinellas, Pasco and Citrus counties.  

Schools and colleges sent notifications to students, parents and teachers about the incident.

What they're saying:

Students say the cyberattack raised concerns about how much personal information is stored on educational platforms.

"It's just really concerning because a lot of our data is on Canvas itself, so it's concerning to hear that there was some sort of cyberattack," Cross said.

Cybersecurity expert Eric Bordeau, with the company Logically, said the breach could have been more severe.

"We probably got lucky here because the level of data that was given up was, you know, pretty benign in nature," said Bordeau, Logically’s virtual chief information officer.

Still, Bordeau warned that even limited information can become valuable when combined with data from other cyberattacks.

"They're building a profile on all of us. And so, just because they only got certain pieces of information this time doesn't mean they can't cross-reference that against other breaches with other organizations in the future," Bordeau said.

Experts are encouraging users to stay alert for suspicious emails or scams following the breach.

"Be vigilant because even though there wasn't any critical information exposed in this breach, it's data that could be used against them in the future," Bordeau said.

What's next:

Instructure says Canvas is back online, although some schools and districts have not yet fully restored access for all users.

A hacking group known as "ShinyHunters" claimed responsibility for the attack and allegedly threatened to leak user data if demands were not met.

A message reportedly posted by the group claimed hackers accessed information tied to 275 million Canvas users, though those claims have not been independently verified.

It remains unclear whether any ransom was paid or what happened to the compromised data.

Cybersecurity experts say the incident is another reminder for people to use strong, unique passwords and monitor accounts for suspicious activity.