Harvard Canvas Access Cut Following Massive Instructure Data Breach
Harvard students lost access to Canvas on Thursday afternoon after the cybercriminal group ShinyHunters listed the university among thousands of institutions allegedly affected by a security breach at Instructure, the parent company of the Canvas platform.
Canvas serves as the central hub for Harvard’s academic operations, hosting course websites, assignments, reading materials, and essential communications between students and instructors. The outage has disrupted access to these critical educational resources.
Timeline of the Outage
The disruption occurred rapidly on Thursday, moving from full functionality to a complete blackout within a few hours:
- 2:00 p.m.: The platform remained accessible to Harvard affiliates.
- 3:30 p.m.: The site began redirecting users to a message from ShinyHunters, a notorious cybercriminal group. The group claimed to have “breached Instructure” and provided a list of affected schools.
- 4:20 p.m.: The landing page updated to a generic notice stating, “Canvas is currently undergoing scheduled maintenance. Check back soon.”
- 4:30 p.m.: Both the web platform and the Canvas mobile app were completely inaccessible to Harvard users.
The ShinyHunters Threat and Demands
The group ShinyHunters claims this is a repeat offense, asserting they breached Instructure “again.” In their communication, the group accused Instructure of ignoring their outreach and attempting to resolve vulnerabilities with minor “security patches.”
The attackers have issued a stark ultimatum: schools listed in the breach must consult a cyber advisory firm and contact the group privately to negotiate a settlement. The deadline for this negotiation is the end of the day on May 12. otherwise, the group threatens to leak the stolen data.
Scope of the Instructure Breach
The scale of the alleged attack is vast. ShinyHunters first announced the breach on Sunday, claiming to have stolen data from 275 million affiliates across 9,000 schools. This stolen data reportedly includes billions of private messages containing “personal conversations.”
While an initial response deadline of May 6 was set for Instructure and the affected schools, the group has since escalated its tactics by redirecting traffic from university sites.
Harvard’s Official Response
Harvard University Information Technology (HUIT) has acknowledged the situation. Tim Bailey, a spokesperson for HUIT, stated that the university is “aware that the Canvas platform is currently unavailable due to a cyber incident.”
Bailey confirmed that HUIT is “actively investigating” the breach. While Bailey did not immediately confirm if Harvard was part of the initial Sunday announcement, the university appeared on the document of affected schools released by ShinyHunters.
At this time, it remains unclear exactly what specific information tied to Harvard affiliates was compromised in the breach.
Key Takeaways
- What happened: Harvard’s Canvas site went down after a breach of its parent company, Instructure.
- Who is responsible: The cybercriminal group known as ShinyHunters.
- The risk: Potential leak of private messages and personal data if settlements aren’t reached by May 12.
- Current status: The site is inaccessible, and HUIT is investigating the incident.
What to Expect Next
As HUIT continues its investigation, the university is expected to provide updates via its official status page. Students and faculty should monitor official university communications for guidance on how to access course materials and whether personal data has been compromised.