Canvas Breach Prompts Caution, Limited-Use Guidance at Caltech

Culture

The message that displayed for users logging into the Canvas webpage on May 17. (Image: Wikimedia Commons)

A recent cybersecurity incident involving Canvas, the learning-management system operated by Instructure and used throughout Caltech, disrupted universities during exams week and raised concerns about the possible exposure of user data.

Instructure claims it detected unauthorized activity on April 29 and additional related activity on May 7, when some users saw altered Canvas pages; the company temporarily placed Canvas in maintenance mode and later tied the access path to its Free-For-Teacher account system. According to Instructure, the data involved in the April 29 incident may include names, email addresses, student ID numbers, and messages exchanged within Canvas, but the company says it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.

The incident quickly became a national story due to Canvas’ central role in coursework, grades, assignments, and exams. News reports described colleges postponing exams and deadlines as students and instructors were temporarily cut off from the platform. Inside Higher Ed reported that the extortion group ShinyHunters claimed responsibility and threatened to leak data connected to thousands of institutions; AP similarly reported that the group claimed data involving nearly 9,000 schools and 275 million individuals.

On May 11, Instructure said it had reached an agreement with the “unauthorized actor” involved in the incident. The company stated that the data had been returned, that it had received digital confirmation of destruction in the form of “shred logs,” and that it had been told no Instructure customers would be extorted as a result of the incident. Inside Higher Ed characterized the agreement as a ransom payment, though Instructure did not disclose the amount.

Here at Caltech, the response evolved from caution to limited resumed use. In a May 8 advisory, IMSS recommended that users limit Canvas access, avoid uploading new content or submissions, and back up course data, including student submissions and grades. Students were advised to view course materials but avoid new uploads; instructors were asked to avoid entering grades or uploading new materials and to use Caltech-secured alternatives such as Google Drive or Google Forms where appropriate.

By May 12, Caltech’s guidance shifted: Canvas remained operational and available for teaching, learning, and administrative continuity, but users were urged to exercise heightened caution. IMSS warned of phishing and impostor websites attempting to exploit the breach, advising users to access Canvas only through official links, avoid suspicious password-reset prompts, and never provide Social Security numbers, birth dates, passwords, or MFA codes through email or external sites. The practical message was less that Canvas had disappeared from campus life than that its ordinary convenience now required unusual vigilance.

Instructure says Canvas is back online and that outside forensic partners have found no evidence the threat actor currently has access to the platform. The company says it has revoked credentials and access tokens, rotated certain internal keys, added monitoring, restricted token creation pathways, notified law enforcement, and temporarily shut down Free-For-Teacher accounts while it continues its investigation.