Northeastern says no sign so far that accounts compromised in Canvas cyberattack
Close to 9,000 schools and universities across the country were locked out of course materials on Thursday after Canvas was hit by a cybersecurity incident, in which the hackers demanded a settlement.
Following a cyberattack on the popular online learning platform Canvas that rattled academic institutions this week, an ongoing review of the security breach has found that no Northeastern university-affiliated usernames or passwords had been jeopardized as of Friday, university security officials said.
“At this time, Northeastern hasn’t observed compromised university accounts or activity outside of what Instructure has publicly shared, and details related to Canvas itself remain part of the vendor’s investigation,” Jen Brant‑Gargan, Northeastern’s chief information officer, told Northeastern Global News, referring to Canvas’ parent company.
“This was a security incident affecting a widely used third‑party platform across higher education,” Brant‑Gargan added. Northeastern cybersecurity officials said the university had not so far received any information specific to Northeastern from Instructure.
Close to 9,000 schools and universities across the country were locked out of course materials on Thursday after Canvas was hit by a cybersecurity incident, in which the hackers demanded a settlement.
The notorious hacker group ShinyHunters, which has executed data breaches on the likes of Ticketmaster, Amtrak and Rockstar Games, has claimed responsibility for Thursday’s Canvas attack.
The web-based learning management system allows educators to host course content and grade assignments and share discussion boards with students.
The attacks come at a time when schools are increasingly becoming targets for data breaches. According to a report from SentinelOne, an American cybersecurity firm, ransomware attacks “across the education sector surged by 69% from 2024 to 2025.”
Among the biggest cybersecurity stories last year was the breach of PowerSchool, the educational software provider that services more than 60 million students worldwide.
The hack also comes days after Instructure, Canvas’s corporate parent company, disclosed in early May that its systems had been hacked “by a criminal threat actor” at the end of last month.
At the time, the company said it had “contained” the situation, noting that hackers had exploited a vulnerability in its Free-For-Teachers service, which allows educators to create their courses on Canvas independent of their institution.
But in a message posted Thursday on Canvas, the alleged culprits said the company’s methods didn’t work.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some security patches,” the message read, before adding that the company had until the end of day on May 12, 2026, to negotiate a settlement “before everything leaks.”
In the April breach of the Free-for-Teacher service the hacker group claimed to have stolen names, email addresses, student ID numbers, and private messages between teachers and students.
On Friday, Instructure said it had addressed the issue and temporarily shut down its service, and access had been restored to users.
Northeastern’s Office of Information Security, which manages information security across the university’s campuses, first learned that Instructure had suffered a ransom attack about a week ago, officials said.
On Thursday, attackers allegedly defaced the Canvas login page, according to Northeastern security officials. In response, Instructure redirected the Canvas login traffic to a maintenance page, temporarily taking the service offline for users nationwide.
Northeastern responded separately by disconnecting its “single sign-on integration,” an authentication system that lets users access multiple applications with one set of university credentials, with Canvas. Doing so effectively severed the university’s authentication connection to the platform to prevent any further exposure to the compromised system.
While Canvas was offline, Northeastern investigators also monitored for “anomalous activity,” including spikes in login attempts or unusual authentication behavior, to determine whether any university credentials had been compromised, university officials said.
The university is still conducting its own review of the incident alongside Instructure and third-party forensic responders.
Northeastern’s cybersecurity protocol includes systems that scan university-owned devices and networks across all 14 campuses for vulnerabilities, malware, ransomware and other risks. The university also employs a 24/7 Security Operations Center and fulltime security teams that continuously watch for unusual behavior, such as strange login attempts or abnormal software activity, so that they can respond quickly if something seems suspicious, officials said.
Those protections are especially important in third-party breaches because the biggest danger often comes after the initial hack, if attackers are able to use the compromised platform or data they stole to attack other systems. This includes login systems, email accounts, cloud storage or other networks that process sensitive data, officials said.
Northeastern officials are looking to expand cybersecurity protections by expanding security coverage to more specialized systems and tightening network controls to reduce exposure to future attacks, university officials said.
Engin Kirda, a Northeastern professor of computer science and engineering, said in general ransomware attacks have become extremely popular in the past decade because “they are effective and work.”
“These attacks can be extremely profitable,” he said, noting that oftentimes companies end up paying the ransom to get their systems back up online. “It’s the reason we keep seeing them.”
Hackers are able to execute ransomware attacks by exploiting vulnerabilities in a company’s system or by gaining access to someone’s login credentials, often by using nefarious means.
In the case of Canvas, the Free for Teachers service account likely has “very light verification,” he said, making it easy to exploit.
“The ransom angle comes from what they can reach once inside,” Kirda said. “Student records, grades, course content, and personally identifiable information all have value. Attackers typically threaten to publish stolen data, and in some cases encrypt parts of the system, then demand payment to stop the leak or restore access.”
While he said companies tend to have defenses in place to prevent these types of attacks from happening, sometimes these systems fail.
And those failures can be costly.
“What we are actually seeing here is that we are really dependent on some services because the internet for us now is critical infrastructure,” he said.
What can individuals do to keep their own information safe? University officials have offered tips:
- Verify that emails and login pages come from legitimate senders and official university-related domains before clicking links or entering credentials.
- Hover over links and closely inspect URLs to make sure they direct to trusted websites rather than spoofed or suspicious pages.
- Never share passwords or sensitive personal information through email, especially in unsolicited or urgent-looking messages.
- Be wary of phishing tactics that create a false sense of urgency or use email addresses designed to mimic legitimate organizations.
