Cyber crime entity ShinyHunters launched a widespread hacking effort against Instructure — parent company of Canvas — blocking University of Michigan students from accessing Canvas Thursday afternoon. ShinyHunters has previously targeted TicketMaster, Google and other higher education institutions including Harvard, having reportedly stolen data from more than 13 companies.
In an email to the campus community, Ravi Pendse, U-M Vice President for Information Technology and Chief Information Officer, wrote all access to Canvas is temporarily suspended as the cyber attack is being investigated.
“ITS teams are actively investigating the issue, communicating with Instructure, and coordinating with appropriate university partners,” Pendse wrote. “We will share additional updates as more information becomes available, including guidance on when access may be restored.”
The hack began at the University Thursday afternoon, displaying a counterfeit error message authored by ShinyHunters on Canvas’ launch page. The pop-up said affected schools should “consult with a cyber advisory firm and contact (ShinyHunters) privately at TOX to negotiate a settlement” to avoid getting their information leaked. The message has since been replaced with a notification stating Canvas is undergoing maintenance.
In a subsequent email, Pendse noted some community members saw an irregular Canvas log-in screen. The email advised anyone who encountered this to reset their passwords.
The cyber attack has affected more than 9,000 higher education institutions. Steve Proud, Canvas chief information security officer, acknowledged the initial hack Wednesday evening. He wrote there is no evidence of personal data, such as financial information, having been leaked.
“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users,” Proud wrote. “At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions.”
The Michigan Daily News Staff can be reached at news@michigandaily.com.
