BREAKING: Hacker group ShinyHunters shuts down Canvas website, demands ransom

This is a developing story. Coverage continues here. Stay with City Times Media for more updates.

When San Diego City College student Briana Bush opened Canvas on her laptop midday on Thursday, May 7, she had hopes to submit one of her spring semester finals.

Instead, the arts and culture editor for City Times was met with a black screen and a message in a single red-rimmed text box.

The messengers called themselves ShinyHunters and demanded a ransom from Canvas’ parent company, Instructure, before the end of the day Tuesday, May 12.

And shortly after, Bush refreshed her screen, finding a notice that Canvas was “currently experiencing maintenance and to check back soon.”

“My jaw literally dropped,” Bush said. “It was insane seeing this message after having just recently reported on this. I thought Instructure had handled it because we were able to access Canvas up until today.”

In the text box, ShinyHunters detailed the ransom and implored the schools affected to contact them and to discuss a settlement before “everything gets leaked.”

City Times reporters followed a text box link and found a list of schools that were affected by the attack but declined to visit the provided page for fear of phishing or malware.

When sifting through the list, reporters found that the San Diego Community College District, with which San Diego City College belongs, was on the list.

Other schools in the county, such as San Diego State University, Southwestern College, and the Grossmont-Cuyamaca Community College District, were also named.

Since 2019, ShinyHunters has been responsible for dozens of high-end leaks, some of which include Ivy League schools and high-fashion companies such as Neiman Marcus.

On May 2, when the initial attack happened, Instructure posted an update on its status page about the information it believes was taken.

“Indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages,” Instructure wrote then. “At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions.”

Neither ShinyHunters nor Instructure have not made it clear if any more information has been compromised since.

Instructure was unavailable for comment after multiple emails and calls from City Times Media.

At 2:11 p.m., SDCCD Chancellor Greg Smith sent out a district-wide email regarding the Canvas outage, detailing that SDCCD was aware and the situation had been forwarded to the California Community College Chancellor’s Office, who oversees SDCCD’s usage of Canvas.

Smith reassured that this attack from ShinyHunters is separate from the cybersecurity attack that led to the ongoing shutdown of the SDCCD network since last weekend.

It is expected to last through Friday afternoon.

As CCCCO is the main contact with Instructure, City Times attempted to reach out, but all staff members were unavailable.

“I understand the severity of impact this has given the timing and end of spring semester,” Smith said in the message. “I will be monitoring this in real time and communicating with CCCCO until it is resolved.”

At 4:48 p.m., SDCCD sent an a follow-up district-wide message that reported emails were being sent to students from ShinyHunters.

The group claims to have compromising web browser data on the student and demands $2,000 in Bitcoin in order to delete it within 48 hours, according to the message.

The district announced this is a scam, and advised faculty, staff and students to delete any emails that seem suspicious.

“We are working to block these emails sent to sdccd.edu email addresses,” SDCCD said. “We cannot block emails sent to non-SDCCD email addresses. Anyone receiving such a message should delete it immediately.”

Venkateswar Rao Vadlamudi, a soon-to-graduate cyber defense student at San Diego City College, was interviewed by City Times Media and said the reported activity linked to ShinyHunters shows the growing threat from financially motivated hackers targeting major companies and services connected to critical infrastructure.

“In many cases, attackers do not use highly sophisticated tools. Instead, they exploit stolen credentials, weak access controls, exposed cloud systems and weaknesses involving third-party vendors,” said Vadlamudi, who is among the first at City to receive a bachelor’s degree in cyber defense and analysis and will pursue a master’s at SDSU starting in the fall.

The incident highlights a basic principle of cyber defense: security depends on layered protections, not just perimeter defenses.

Those measures include multifactor authentication, limited user access, network segmentation, timely patching, continuous monitoring and a tested incident response plan.

“For infrastructure-related organizations,” Vadlamudi said, “the risks include data exposure, service disruption, financial loss, regulatory scrutiny and lasting damage to public trust.”

In Smith’s note, he details what students and staff should do.

“All Canvas users, including all faculty and students should take the following steps immediately:

• Log out and exit the Canvas platform
• If using the Canvas App, close the app
• If using web browser access, close the web browser
• Do not attempt to log into Canvas until you receive a notice from SDCCD that is safe to do so.
• Remain on high alert for emails, social media posts, or other electronic communications asking you to click on links, enter or share username and password information, download files, or open attachments.”

Can’t see the video? Click here.

“The incident shows the growing threat from financially motivated hackers targeting major companies and services connected to critical infrastructure,” Vadlamudi said.

This story was edited by Rosemary Archer and Briana Bush.