Students and faculty were warned Thursday not to log in to Canvas after the cybercriminal group ShinyHunters claimed it breached Instructure, Canvas’ parent company, in a nationwide attack that may have exposed some user information.
The warning puts Mt. SAC alongside schools across the country responding to an attack on one of education’s most-used online learning platforms.
Instructure said early findings show some user information may have been involved, including names, email addresses, student ID numbers and messages between users, but said it has found no evidence that passwords, dates of birth, government identifiers or financial information were involved.
Mt. SAC sent a campus safety text alert at 3:54 p.m. Thursday saying Canvas was “currently unavailable due to a reported security breach” and told users not to attempt to log in.
A separate campus email from IT said Canvas “appears” to have been compromised and instructed anyone who attempted to log in today to immediately reset their password.
“As a precaution, all Canvas login access points on the Mt. SAC website and portal have been disabled,” the email said.
The college also strongly recommended that employees reset their passwords and reminded users to create unique passwords that are not reused from other accounts.
A later update from Mt. SAC described the situation as an isolated security incident affecting Canvas, the college’s third-party vendor.
The college said there is no evidence that Mt. SAC systems, network or institutional data have been compromised.
“Canvas is currently unavailable, and students and faculty will not be able to access courses or course materials,” the update said.
Faculty were told to consider other ways to teach and communicate with students while Canvas services are being restored.
Instructure said on its status page that it placed Canvas, Canvas Beta and Canvas Test in maintenance mode today while it investigated the issue.
The company later said Canvas was available for most users, though Canvas Beta and Canvas Test remained under maintenance.
The outage follows a security incident Instructure said it first became aware of on May 1. The company said it worked with outside forensic experts, revoked certain privileged credentials and access tokens, deployed security patches, rotated some keys and increased monitoring across its platforms.
ShinyHunters has been linked to other major hacks before, including attacks involving Ticketmaster and PowerSchool, another education technology company, according to the Associated Press.
The group is known for stealing data and threatening to leak it. The Canvas incident shows how a breach at one outside company can quickly affect students and faculty at schools across the country.
For Mt. SAC students, the concern is that names, emails, student ID numbers and messages may have been exposed through a platform students use every day.
In a message to California community college leaders, Chancellor Sonya Christian said Canvas was down systemwide and that Instructure had identified an additional security issue.
“I know this is disruptive, especially given how central Canvas is to instruction,” Christian wrote. “For now, the most important thing is that we stay steady.”
The disruption leaves Mt. SAC students and faculty without normal access to course materials while the college and Instructure respond to the incident.
SAC Media spoke with President Martha Garcia’s office, and they advised students to refer to emergency communications from Mt. SAC, and to follow those instructions. Do not attempt to access or log into Canvas.
This is a developing story and will be updated as more information becomes available.
Austin Riggs contributed to this reporting.
