Live: University pulls plug on Canvas after possible new hack by ShinyHunters (ended)

Students who try to log in to canvas.eur.nl since Friday morning find themselves locked out. The site is completely unavailable. Because of a possible new cyberattack on the education software on Thursday evening, the university has pulled the plug on the system for the time being.

Tuesday 5.22pm: Canvas available again on Wednesday

Now that the hackers have deleted the data and parent company Instructure has taken additional security measures, the university will gradually restart Canvas on Wednesday. With this news we are ending this live blog.

10.19am: Hackers deleted data

Parent company Instructure says it has struck a deal with hacker group ShinyHunters. The user data has been deleted and Canvas should be safe to use again. The hackers have confirmed the deal. It is still unknown when Canvas will actually be back online for EUR users.

Saturday 2.00pm: beware of phishing

Hacker group ShinyHunters is threatening to publish on the dark web on Tuesday the personal data stolen from Canvas. This increases the risk that students and staff will receive phishing emails, emails that appear to come from the university but were actually sent by others. Read what you can do to protect yourself from phishing.

12.30pm: entire weekend without Canvas, exams and classes continues

Canvas will also be unavailable for the rest of this weekend. Teaching will continue unchanged next week. This also applies to exams, unless a faculty indicates otherwise. According to the university, work is underway on alternatives. In the meantime, students and teachers are advised to use other channels, provided these remain within the EUR ecosystem. Some teachers have meanwhile already taken to Dropbox. On Monday, the university will issue a new update.

Friday 1.00 pm: Canvas will stay down for the rest of the day

Canvas will not be back online on Friday, a spokesperson says. “We are working hard on a solution and hope to be able to provide more clarity as soon as possible. We advise students, lecturers and staff to share university-related information only via official EUR channels, such as Microsoft Teams and EUR email. Avoid sharing sensitive or work-related information via external platforms.” On Saturday at 12pm the university promises a new update via MyEUR.

9.37 uur: University pulls the plug on Canvas due to new hack

Thursday night some students at Erasmus University saw a message from ShinyHunters after logging in to Canvas. It said the hacking group had again breached the infrastructure of software company Instructure, the owner of Canvas. “Instead of contacting us to resolve this they ignored us and made a few security updates”, it said. The hackers urged institutions to get in touch via a cybersecurity firm to prevent the leaking of their user data.

If that doesn’t happen, the data will be published on 12 May on the dark web. That gives the institutions six days more time than the hackers originally allowed.

System down

According to a university spokesperson it’s unclear whether yesterday’s events were a new hack, or whether the hackers had remained in the system since the first attack on Sunday.

As a precaution, the university shut down the system entirely on Thursday evening. That means students and staff can no longer access their course materials, view their grades or send messages to each other.

Alternative communication methods

How long this situation will remain is unclear. The university’s crisis meeting convened this morning and is now working on several scenarios, including alternative ways for students and staff to communicate. A statement on this will be sent to all involved later on Friday.

Last week, the hacker group took the personal data of millions of students and staff around the world. The data come from Canvas, an education application used by around nine thousand institutions worldwide. The attack was claimed by ShinyHunters, a hacking group previously involved in the Odido breach.

Initially the US company Instructure, the maker of Canvas, had to pay a ransom by Wednesday at the latest, otherwise all data would be made public. But the deadline has now been pushed back by six days, ShinyHunters reports on its website.

‘Don’t pay the ransom’

In the Netherlands seven universities and at least two universities of applied sciences use Canvas. These are the two universities in Amsterdam, Erasmus University, Tilburg University, Maastricht University, the University of Twente and TU Eindhoven, and the Hogeschool Utrecht and Fontys. Students and staff are asked ‘be alert for possible phishing emails following the data leak’, writes umbrella organisation UNL.

After the Odido hack the government issued urgent advice not to pay ransom to hackers. It is quite possible that hackers will not keep their promises. “Paying ransom sustains criminals’ business model”, wrote the minister of justice and security, David van Weel, at the time.