Most college students are familiar with the particular fear that comes with finals week. The cold coffee, the all-nighters, the neon hum of the library at two in the morning, and the folks who have obviously completely given up on sleep. Now picture yourself sitting down to turn in a final paper, opening your laptop, and discovering a single red-rimmed text box on a black screen that demands a ransom. On May 7, Briana Bush, a student at San Diego City College, and countless other students at about 8,809 universities worldwide experienced just that. There was more to the Canvas hack than just data leaks. Millions of people who had nothing to do with the judgments that exposed them were deprived of finals week.
Upon closer examination, university authorities should be concerned about the mechanics of what transpired. The business that created Canvas, Instructure, discovered illegal activities for the first time on April 29. The platform was allegedly compromised by the hacker collective ShinyHunters, a well-known brand in the cybersecurity community, which has previously targeted Microsoft, the European Commission, and other corporate Salesforce clients. Instructure claimed to have “contained” the situation.
Then it occurred once more on May 7. A second exploit of the same vulnerability, which was connected to Canvas’s “Free-For-Teacher” accounts, involved the attackers replacing the login page with their ransom notice that was visible to all users. In other words, the fix failed. The hackers sneered in their email that Instructure had “ignored us and did some security patches” rather than engaging in dialogue.
The detail that sticks out is that one. A breach is the result of a combination of poor security and bad luck. Days after the corporation promised everyone it was patched, a second breach through the same hole is more akin to negligence, or at the very least, a failure severe enough that students have every right to demand a thorough accounting.
The hackers threatened to reveal what they claimed was information on 275 million people and billions of private chats, and they gave schools until May 12 to “negotiate a settlement.” One of the many things that students are still unaware of is if those figures are true or overstated for leverage—ransomware groups sometimes exaggerate.
If you looked at student publications instead of the wire reports, you could see the human texture of this everywhere. Midway through a study session, a University of Pennsylvania student logged out. Santa Rosa Junior College instructors are frantically sending course materials via Google Drive and email as the platform they used for the entire semester has just disappeared.
Berkeley City College, Laney, Merritt, De Anza, and other community colleges in the Bay Area are all suddenly dark. While national media caught up, dozens of university publications, including the Duke Chronicle, the Oak Leaf, and City Times Media, carried out the actual reporting. The fact that student journalists, who were directly impacted, covered this more quickly and thoroughly than the majority of professional newsrooms says something.
The episode’s revelation of how precarious the academic infrastructure has quietly become is what makes it worthwhile to think about. A startling portion of higher education worldwide is powered by a single SaaS startup called Instructure. One school is not affected when it declines. During the most important week of the academic year, it falls for about 9,000 of them at the same time, spanning continents. The implicit guarantee that the institution will run smoothly—that the systems will be available when they need to submit, study, and demonstrate what they have learned—is one of the reasons why students pay such high tuition. The security posture of a third-party provider that most students had never considered turned out to be the determining factor in that guarantee.
The accountability issues are genuine and mostly unresolved. How long did the hackers truly have access to confidential student information? Specifically, whose data was downloaded as opposed to just accessible? Why could the same vulnerability be exploited twice in a single week? What specific steps is Instructure taking to make sure that finals week doesn’t end the same way in the future? The company temporarily closed the Free-For-Teacher accounts that appeared to be the access point and contacted the FBI, CISA, and international partners—the proper procedural move. However, explaining to pupils why the door was open in the first place is not the same as alerting police enforcement and closing it after the fact.
Even if it happens gradually, higher education’s dependence on centralized instructional technology is about to face a more comprehensive reckoning. Both the ease of managing everything on a single platform and the systemic risk it poses are genuine. The Canvas hack won’t be the last of its sort, and the next organization affected will have to deal with the same awkward questions about why it relied on a single point of failure for so much of its operations. However, for the time being, the students who lost their finals week need more than a vague assurance and a status-page update. Before they are expected to log back in and have faith in the system once more the next semester, they should be informed exactly what was taken, exactly what went wrong, and exactly what has changed.