Canvas hack: What families need to do right now

A major cyberattack involving the learning platform Canvas owned by Instructure raising new concerns about the amount of sensitive student information stored online, and how criminals could use it.

The hacking group known as ShinyHunters claims it stole data connected to roughly 275 million users and is threatening to leak it publicly unless a ransom demand is met.

While that number has not been independently verified, Instructure confirmed the breach involved user information tied to Canvas accounts used by schools and universities across the country.

According to the company, the exposed information may include:

Names
Email addresses
Student ID numbers
Messages exchanged between users on Canvas

Instructure said it has found no evidence that passwords, Social Security numbers, financial information or dates of birth were compromised. Still, cybersecurity expert Rakesh Shah of Quest Software, warns the stolen information could be incredibly valuable to scammers because it provides something far more dangerous than a credit card number: context.

Why this breach is different

This breach may give criminals a roadmap into students’ and families’ lives.

If hackers know a student’s school, teacher, class schedule or online conversations, they can create phishing scams that look frighteningly legitimate.

That could include:

Fake emails appearing to come from a principal or teacher
Fraudulent Canvas login pages designed to steal passwords
Text messages pretending to come from a school district
Scams targeting parents for tuition, fees or fundraising payments
Password-reset emails crafted using real student information

“Social engineering” attacks are often far more effective because they use personal details victims recognize and trust. The same hacking group has also been tied to attacks involving organizations including Cisco, ADT, Amtrak and another education platform, Infinite Campus.

What families should do right now

Families should act immediately even if they have not received a notification from their school.

Change passwords immediately

Change your:

Canvas password
School portal password
Email password
Any other account using the same or similar password

Turn on two-factor authentication

Enable two-factor authentication on:

Email accounts
Banking apps
School portals
Student email accounts
Use an authenticator app instead of text-message verification whenever possible because phone numbers can sometimes be hijacked through SIM-swapping attacks.

Previous: 'Security patches' put student learning system back online after hack

Watch for phishing attempts

Families should be extremely cautious with any email or text mentioning: Their child’s school, a teacher’s name, grades, tuition, password resets, school logins

Before clicking any link: hover over it to inspect the web address, go directly to the school or Canvas website instead, call the school directly to verify requests involving money or personal information

Ask your school questions

Parents should contact their school or district and ask: Was our data involved? What information was stored in Canvas? Are families being notified? What protections are being offered?

Consider freezing your credit

A credit freeze remains one of the strongest tools consumers have against identity theft. A freeze prevents criminals from opening new credit accounts in your name and can be placed for free with all three major credit bureaus.

What Instructure is saying

Instructure says it detected unauthorized activity involving Canvas and launched an investigation with outside cybersecurity experts.

The company says it is continuing to notify affected institutions and investigate the scope of the breach.

Meanwhile, the hackers behind the attack have posted a public countdown threatening to release the stolen information if demands are not met.

How Wake County students explain how they use Canvas

Wake County students John McLurkin and Christian Morales said they use Canvas every day and in their classes.

Morales called Canvas' hacks on April 29 and Thursday, "A little bit scary."

Morales said he has to submit his assignments on paper.

WRAL News reached out to the Wake County Public School System to ask:

How will the district handle end-of-year grades?
How will the school system will move forward if the district or the state opt not to use Canvas for the remainder of the school year?

"I don't know what's fully accessible to them [the hackers], and they might just sell it off [the data] to other people," McLurkin said.

The Wake County Public School System confirmed students in the district have received a ransom note from the hackers themselves, threatening to leak information if they don’t get paid.

"They really need to up the security on those websites they're giving kids," McLurkin said.

How Durham Public Schools is handling the Canvas hack

WRAL News asked a Durham Public Schools spokesperson how the district is handling end-of-year grades, final exams, assignments and grade inputs.

"Durham Public Schools is actively working with school leaders and instructional staff to ensure continuity of instruction and grading while Canvas access remains temporarily unavailable," the district spokesperson wrote. "Schools and teachers have been directed to provide flexibility for assignments, coursework and grading during this period. Students will not be penalized for being unable to access Canvas during the outage.

"The district also maintains nightly backups of Infinite Campus gradebook data, and we are continuing to assess any temporary syncing disruptions related to Canvas integrations."

WRAL News asked if the district advised teachers to use different websites for work purposes.

"Teachers and schools have been encouraged to use alternative instructional approaches and district-approved resources while Canvas remains unavailable," the district spokesperson wrote. " In some cases, that may include lower-tech or offline instructional methods to ensure continuity of learning."

The district spokesperson said it is "premature to speculate on long-term operational decisions" when asked if the district or state will use Canvas for the remainder of the school year.