Multiple Colleges Hit by Disruptions After Canvas Service Hack

Hackers briefly took down an online portal used by thousands of colleges around the world this month, disrupting services at institutions from Harvard to Princeton.

Instructure Inc., which runs the Canvas service used by students to take tests and get grades, said it was forced to suspend the portal after a May 1 infiltration by a “criminal threat actor.” The perpetrators exploited a vulnerability in a specific account for teachers, an Instructure spokesperson said in an emailed statement, gaining unauthorized access to some of its websites. The company, owned by KKR & Co., restored much of the service Thursday, though it’s suspended the teacher accounts for now.

It’s unclear whether the hackers gained access to sensitive information. College students use Canvas for everything from accessing course materials and turning in assignments to checking grades and taking tests. Schools around the world — from Stanford University in California to the University of Oslo in Norway and Australia’s Adelaide University — reported problems with the portals. Yale University, Columbia University and Princeton University also experienced issues.

Opportunistic hackers have for years found schools to be easy targets, but universities have been especially hard-hit in recent months. Last year, a series of hacks at Ivy League schools including Harvard University, Princeton and the University of Pennsylvania exposed the information of alumni, donors and students.

Following the breach, some colleges warned that student information might’ve been accessed. Yale said on its website that the incident involved unauthorized access to user data in Canvas, potentially including names, email addresses and messages sent through the system.

Stanford said certain identifying information including names, email addresses, student identification numbers and messages between users might’ve been compromised.

Rutgers University said in a statement that it was unclear what school data may have been compromised. Baylor University warned students of phishing messages that may aim to steal their information from attackers impersonating the school’s IT staff.

A Duke University security spokesperson confirmed the incident and said the school is “closely monitoring the incident,” according to the student publication there.

A prolific cybercrime group, ShinyHunters, said it was responsible for the hack in a dark web post seen by Bloomberg News, but Instructure hasn’t confirmed that the group was behind an attack. ShinyHunters is known for stealing victims’ data and then demanding extortion fees.

In 2024, the buyout firm KKR agreed to buy Instructure in a deal that valued the Salt Lake City-based company at about $4.8 billion including debt. The company was founded in 2008 and was majority-owned by the private equity firm Thoma Bravo before KKR’s takeover.

Photo: Harvard University in Cambridge, Massachusetts. Photographer: Maddie Meyer/Getty Images