University pulls plug on Canvas after possible new hack by ShinyHunters

Students who try to log in to canvas.eur.nl since Friday morning find themselves locked out. The site is completely unavailable. Because of a possible new cyberattack on the education software on Thursday evening, the university has pulled the plug on the system for the time being.

Last night some students at Erasmus University saw a message from ShinyHunters after logging in to Canvas. It said the hacking group had again breached the infrastructure of software company Instructure, the owner of Canvas. “Instead of contacting us to resolve this they ignored us and made a few security updates”, it said. The hackers urged institutions to get in touch via a cybersecurity firm to prevent the leaking of their user data.

If that doesn’t happen, the data will be published on 12 May on the dark web. That gives the institutions six days more time than the hackers originally allowed.

System down

According to a university spokesperson it’s unclear whether yesterday’s events were a new hack, or whether the hackers had remained in the system since the first attack on Sunday.

As a precaution, the university shut down the system entirely on Thursday evening. That means students and staff can no longer access their course materials, view their grades or send messages to each other.

Alternative communication methods

How long this situation will remain is unclear. The university’s crisis meeting convened this morning and is now working on several scenarios, including alternative ways for students and staff to communicate. A statement on this will be sent to all involved later on Friday.

Last week, the hacker group took the personal data of millions of students and staff around the world. The data come from Canvas, an education application used by around nine thousand institutions worldwide. The attack was claimed by ShinyHunters, a hacking group previously involved in the Odido breach.

Initially the US company Instructure, the maker of Canvas, had to pay a ransom by Wednesday at the latest, otherwise all data would be made public. But the deadline has now been pushed back by six days, ShinyHunters reports on its website.

‘Don’t pay the ransom’

In the Netherlands seven universities and at least two universities of applied sciences use Canvas. These are the two universities in Amsterdam, Erasmus University, Tilburg University, Maastricht University, the University of Twente and TU Eindhoven, and the Hogeschool Utrecht and Fontys. Students and staff are asked ‘be alert for possible phishing emails following the data leak’, writes umbrella organisation UNL.

After the Odido hack the government issued urgent advice not to pay ransom to hackers. It is quite possible that hackers will not keep their promises. “Paying ransom sustains criminals’ business model“, wrote the minister of justice and security, David van Weel, at the time.