On May 7, students and staff who attempted to log onto Canvas were instead met with a cryptic message: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’” As the main “digital hub” for schools to post assignments, course material and even exams, its shutdown impacted 275 million students, teachers and staff at nearly 9,000 schools worldwide. Although access was restored for all users of the system on May 11, the incident that occurred sparked major debate, concern and frustration over the reliance of one platform for nearly all class material.
ShinyHunters, the cybercrime hacker and extortion group behind the shutdown, has been actively causing data breaches since 2019. From Ticketmaster to Soundcloud and now Canvas, cybercrime groups like ShinyHunters steal user records from sites and unless a ransom is paid, leak the information. Fortunately, the threatened leak for MCPS students did not include passwords, date of births, government identifiers or financial information. However, information about usernames, email addresses, course names, enrollment information and private messages were used as a threat to be leaked.
“Scammers or hackers may take advantage of confusion by sending fake emails or messages that appear to come from the school or Canvas asking users to ‘log in again’ or ‘verify their account,’” WCHS Computer Science/Engineering teacher Rebecca Smith said. “Students and teachers who are anxious to regain access may accidentally click phishing links and enter their passwords into fake websites, allowing attackers to steal account information.”
With many classes at WCHS solely using Canvas for everything from learning to examinations, test schedules were disrupted, assignment deadlines became blurry and preparation for AP exams became disordered with class materials becoming scattered and unavailable.
“The Canvas shutdown prevented my students from accessing study resources such as Kahoots, study guides and exam tips for their upcoming AP Computer Science Principles exam on May 14th,” Computer Science Teacher Marla Rudnick said. “While we hope that everything always works well, we should be ready to pivot.”
Though May 7 was not the first time students had their learning disrupted, whether it be through snowstorms, internet outages or other unexpected events, it was one of the first times MCPS experienced a school disruption stemming from a cybersecurity threat. By impacting a platform students use everyday, the incident served as a reminder that cybersecurity threats are neither distant nor abstract, but can directly affect students at MCPS and are something worth preparing for.
“Many students and staff often reuse passwords across multiple accounts or share passwords with friends, which increases the risk of unauthorized access if one of the accounts is compromised,” Smith said. “Both students and staff need to create strong, unique passwords and use multifactor authentication when available to protect their login information.”
Canvas was officially launched in 2010, with MCPS implementing it as part of its digital curriculum initiative starting in the 2014-2015 school year. Now, Canvas has become so embedded in students’ learning at WCHS that using other platforms like Google Classroom or Blackboard may feel unfamiliar. That dependence helps explain why the shutdown may have felt so unsettling for students since it challenged their trust in a platform that they had come to heavily rely on ever since they entered middle school.
“My initial reaction to hearing that Canvas got shut down was fear, ” WCHS junior Grace Wu said. “At first, I didn’t know the implications of what Canvas getting shutdown meant and the consequences of getting ‘hacked’ were so vague that I was worried that I would be doxxed or even have my address leaked. I think what helped was knowing we were all going through the same thing together, and that helped me calm down and start to accept the situation.”
While the shutdown caused stress and uncertainty, teachers, staff and MCPS worked to keep students informed and calm their worries. Many teachers sent updates, shared saved copies of materials and provided alternative ways for students to access assignments. Some also reminded students to be cautious of suspicious emails, fake login pages and other phishing attempts that could be used to take advantage of the confusion and chaos of the situation.
“Our society is encumbered with constant cybersecurity threats,” Rudnick said. “In AP Computer Science Principles, we discuss the risk. This attack brought home the consequences. It is a good reminder that our school is not in a vacuum. Before Canvas, we used Google Classroom to assign and grade students, and that still exists, so we do have alternatives.”
