College of Menominee Nation warns students after Canvas cyberattack

The College of Menominee Nation warned students on May 8 that a cyberattack on Canvas, the online learning platform it uses for instruction and coursework, could disrupt how classes were running in Keshena and across Menominee County. The bulletin said CMN was not the direct target, but the college was still affected because Canvas handles class postings, assignment submissions, announcements and student-faculty messages at a point in the semester when many courses are nearing end-of-term deadlines.

CMN said it does not directly surface personally identifiable information to Canvas and that there was no indication passwords, financial information, Social Security numbers or dates of birth were compromised. The college also said some information submitted through Empower may have included student names, student IDs, email addresses and enrolled courses. Messages sent through Canvas itself, including communications between students, faculty and instructors, may also have been obtained by malicious actors.

The college said it had received an all-clear from Instructure and believed Canvas was accessible again for students and faculty, but it still urged caution. Students were told to contact instructors with course questions, monitor Gmail and use the Phish Alert reporting tool if suspicious messages appeared. CMN also warned that attackers could try to impersonate college officials and request login credentials or personal information, a risk that matters most when students are balancing work, childcare, transportation and classes and depend on the portal as the main link to campus.

Instructure said the security incident had been contained and that Canvas was fully operational by May 9. The company recommended enforcing multifactor authentication on privileged accounts, reviewing admin access and rotating API tokens or keys where appropriate. Federal Student Aid later said the incident affected Canvas platforms used by K-12 schools and higher-education institutions worldwide and involved unauthorized access to usernames, email addresses, course names, enrollment information and messages. It said there was no evidence passwords, dates of birth, government identifiers or financial information were exposed.

The broader disruption reached beyond CMN. Instructure detected unauthorized activity on April 29 and additional activity on May 7, and colleges including the University of Illinois at Urbana-Champaign, Baylor University and Arizona State University postponed exams or assignment deadlines. Canvas is used by roughly 9,000 schools and educational institutions, which made the outage a wide-ranging problem during finals season and left colleges like CMN relying on direct instructor contact and close attention to email while the system settled back into normal use.