Many Illinois colleges and schools are scrambling after the online learning platform Canvas went offline Thursday following a cyberattack on its parent company.
The shutdown forced the University of Illinois Urbana-Champaign to postpone all final exams and assignments scheduled for Friday, Saturday and Sunday, leaders told students in a message sent Thursday night.
Thousands of K-12 school districts and colleges use Canvas nationwide, including U. of I. and Northwestern University, to manage classes, post assignments and communicate with students. Chicago Public Schools said Friday that it does not use Canvas and the district was not affected. City Colleges of Chicago does not use the learning platform, either.
Instructure, which runs Canvas, said the platform is back online Friday. But some colleges are still cautioning against using it.
Instructure said last week that it had experienced a “cybersecurity incident perpetrated by a criminal threat actor” that exposed users’ names, email addresses and student ID numbers, as well as internal messages.
In an update, the company said it took Canvas offline Thursday when it detected unauthorized activity related to last week’s data breach “to contain the activity, investigate, and apply additional safeguards,” before bringing it back online the next day. The company said it had temporarily shut down all free-for-teacher accounts, as those were the source of the breach.
A hacking group known as ShinyHunters claimed responsibility for the data breach, according to reporting by the New York Times, and is threatening to release “billions of private messages among students and teachers” if Instructure doesn’t meet its ransom demands.
It is unclear exactly what information hackers were able to access from local schools. Illinois State University officials said on Friday that they were still “working to determine if data such as enrollment or activity contained in our Canvas courses were compromised.”
The University of Chicago’s student newspaper, the Chicago Maroon, reported that Canvas users at the university briefly saw a message from the hacking group on Thursday that said affected schools could reach out and negotiate a settlement before May 12, when they threatened to release private data.
Northwestern University provided suggestions for professors to stay in touch with students and accept student work while Canvas was offline.
Maya Masuta, a sophomore at U. of I., said that she and her friends were studying in the library Thursday afternoon when they discovered the Canvas breach. A friend tried to hand in a quiz, but as she hit “submit” the ShinyHunters notification popped up.
“Within seconds, I got, like, eight texts from different people,” she said. “Everyone was experiencing it.” The first official email from the university that she received arrived two hours later around 4:30 p.m.
The business major said her accounting final exam, scheduled for 7 p.m. Friday, was postponed. She won’t know the new date for the final — or if it will be canceled — until Sunday, when the university has said it will provide the next update.
“Everyone’s unsure whether to keep studying or assume finals might be canceled,” she said.
U. of I. officials urged students not to open Canvas or click on any links if they saw a message from the platform related to the cyberattack because they could contain malware or be otherwise compromised. John Coleman, the university’s provost, told students that U. of I. was talking with other colleges about next steps and acknowledged the situation had added “stress and uncertainty” to the end of the academic year.
A spokesperson for Bradley University in Peoria said Canvas was down for about six hours on Thursday but final exams and end-of-semester activities are proceeding as planned after the system came back online. The Illinois Mathematics and Science Academy, a public magnet high school in west suburban Aurora, said it was monitoring the situation but the data breach didn’t affect the school’s daily operations.
Cybersecurity incidents are common in schools, according to research conducted by the nonprofit RAND Corporation.
In 2024, about 60% of K-12 principals said on a nationally representative survey that their school had experienced at least one cybersecurity incident in the previous two school years, mostly compromised emails and phishing attacks.
But 14% percent said they experienced a data breach and 10% said they experienced a ransomware attack, which can be especially disruptive if hackers demand payment for the release of schools’ data.
Instructure said it had notified the FBI and federal cybersecurity officials about the incident, and it had found no evidence that passwords, dates of birth, Social Security numbers or student financial information were taken.
Luke Connolly, a threat analyst with the cybersecurity firm Emsisoft, said hackers can rely on less sensitive data such as private messages between students and teachers for financial gain.
“They can use that confidential information to extort either the school board or the teacher or the student or the parents,” Connolly said.
Instructure has advised students and families to be cautious of unexpected emails or messages and to report anything unusual to their school’s IT or security team.
Connolly said it’s a good idea for students who may have been affected by the data breach to take precautions, such as changing their passwords and enabling multi-factor authentication, which requires users to verify their identity with more than a password.
Contributing: Cam Rodriguez