Add CBS News on Google
A widespread cyberattack targeting the learning platform Canvas is disrupting thousands of schools across the country, including in Colorado. It’s hitting students at one of the worst possible times: finals week.
Cybercriminal group ShinyHunters claimed credit for the attack, breaching systems tied to Instructure, the company that runs Canvas. Canvas is used by 41% of higher education institutions across the country to deliver courses. Millions of K-12 students rely on the platform as well.
In Colorado, more than 20 schools, including Colorado School of Mines, Metropolitan State University of Denver, the University of Denver, the University of Colorado Boulder, Colorado State University, and theUniversity of Northern Colorado, have been affected by the cybersecurity attack.
The group is attempting to extort the company, threatening to release massive amounts of student data if demands are not met.
For students like Flannery Headley, a political science major at MSU Denver, the disruption is more than an inconvenience — it’s a major source of stress.
“The moment I tried to click on something, it gave me this maintenance down page,” she said. “I started Googling things, and I saw this whole thing about the hack.”
CBS
Headley says she was working on assignments when Canvas suddenly stopped functioning.
MSU sent out guidance telling students not to log into Canvas and to wait for updates from professors.
Like many students, Headley is now left in limbo, unsure how finals will be submitted or graded.
“This final I’ve spent the last week working on might not matter,” she said. “At least one of my grades is hinging on another final, whether I’m going to pass or fail.”
CBS
The attackers claim to have stolen large amounts of data, including names, student ID numbers, email addresses, and academic records.
Experts say the real risk may not just be disruption, but what happens next.
“The worst they could do is release it,” said MSU Denver computer science professor Steve Beaty. “There’s been minor leaks and breaches and these sorts of things from time to time, but nothing on the scale of this.”
Beatty says the group claims to have terabytes of student data, which could include personally identifiable information protected under federal privacy laws. If released, that information could be used for scams, identity theft, or further cyberattacks.
Canvas is a cloud-based system used by thousands of institutions, meaning a single attack can have massive ripple effects.
“They took the entire Canvas infrastructure down,” Beatty said. “That affects about 9,000 schools, tens of thousands of people in Colorado alone.”
Right now, schools are scrambling to find workarounds, from email submissions to alternative testing methods.
There is no current timeline for resolution. The hacker group has set a May 12 deadline for the company to respond before potentially releasing the data.
Until then, students like Headley are left waiting, hoping their work doesn’t disappear.
“I’m going to keep working on my finals,” she said, “but I’m not sure what that’s going to look like.”
Featured Local Savings
