Columbia students and faculty lost access to their Canvas accounts on Thursday, May 7 for several hours after Instructure, the company behind the learning management system, was allegedly attacked, leaving many frustrated in the days before the end of the spring semester.

Canvas access was restored around 9:30 p.m., more than four hours after the cyberattack.

ShinyHunters, a cybercriminal extortion group linked to several high-profile data breaches, claimed responsibility for the attack in a ransom post published on the website Ransomware.live, which tracks ransomware activity.

The group claimed stolen data would be released publicly if affected institutions or Instructure did not negotiate a settlement by May 12, according to messages posted online by the hackers and reviewed by multiple news outlets. The Chronicle could not independently verify the threat.

In a message on Canvas that has since been removed, ShinyHunters claimed it had attacked Instructure for a second time after it hit the company on May 2 and asked for ransom. In that attack, Instructure said the group had accessed user identifiers, including names, email addresses, student ID numbers and private messages. But, it said the stolen data did not include social security numbers, passwords or financial information.

This time, no data was taken, according to Instructure.

“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some security patches,” the message from the hackers read.

The college sent an email to the community on Friday, May 8, confirming that Canvas was operational and the data breach has been contained. Columbia’s IT department urged the community to be aware of unsolicited communications from both Canvas and college, especially if asking for login credentials or personal information.  

Students said the outage added another layer of stress during an already busy stretch near the end of the semester.

Yolotzin Cervantes, a junior acting for stage and screen major, said this is “the worst time possible” for an outage to occur.  

“If this was in the middle of the semester, I wouldn’t be as mad,” said Cervantes. “But this is how we do our assignments, this is how we turn in our work.”

Gabriela Ayon, a senior acting for stage and screen major, said the Canvas outage is “another hurdle” for her as she approaches graduation.  

“I have so much stuff that I have to get in,” said Ayon. “I have three finals that are due in a couple of days, so I’m really hoping this gets sorted out.”

Angela Malcolmson, associate professor of instruction for ASL-English interpretation, said the situation is terrible for students since the semester is coming to an end.  

“They’re trying to ensure that their grades are exactly where they want to be,” said Malcolmson. “They’re looking at their assignments and trying to hand them in, so it gives an undue burden of stress for them.”

Canvas has been the college’s learning management system since Fall 2018, replacing Moodle.

Canvas and Moodle are both learning management systems that allow students and faculty to access assignments, grades, course materials and class communication online. Unlike Moodle, which is open-source software customized by institutions, Canvas is a commercial cloud-based platform developed by the educational technology firm Instructure.

Last fall, a global outage of Amazon Web Services knocked out multiple sites, including Canvas, disrupting classes, assignments and tutoring sessions across the college, as the Chronicle previously reported.

ShinyHunters, a cybercriminal extortion group active since 2019, has been linked to several large-scale data breaches targeting corporations and online platforms.

Major cybersecurity firms such as Mandiant, a Google subsidiary, have tracked the expansion of this group’s extortion activity over the last year, citing it as “sophisticated voice phishing and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on credentials,” according to cyber researchers at Google Cloud’s Threat Intelligence Group.

Past breaches include Mathway, AT&T and Microsoft.

At 6:37 p.m., Instructure updated its status page with a message that “we anticipate being up soon. “ The issue was resolved three hours later.

Amelia Lutz, the current executive vice president of the Student Government Association and the future president, encouraged students to plan ahead.  

“I would like to encourage students to reach out to their professors in regard to any homework or finals that would otherwise only be accessible through Canvas,” said Lutz. “I hope it gets resolved in a timely manner.”

Additional reporting from Levi Libson

Copy edited by Venus Tapang