Join The Club
Instructure, the company behind cloud-based learning management system Canvas, has suffered a massive data breach. Ransomware group ShinyHunters has since claimed responsibility for the attack, alleging that it has exfiltrated data tied to 280 million teachers, school staff, and students.
The data breach totals hundreds of gigabytes, potentially exposing Canvas users' names, email addresses, and their private messages.
Bleeping Computer chose not to name the institutions within this list, as it was unable to independently verify which were affected. Still, what is perhaps most troubling about the attack is that it has likely exposed the data of a number of K-12 students. If you have been told that your child was affected by the Instructure breach, Malware Bytes has a helpful guide on what to do next and how best to protect them.
A number of students who attempted to use Canvas following the cyberattack were met with a message purporting to be from ShinyHunters, threatening to leak the data if Instructure did not contact them before May 12. Canvas was taken offline for a number of days afterwards, though the learning platform is now available again for most users.
'ShinyHunters' may ring a bell, as the hacker group has been on a bit of a tear with high-profile attacks lately. For instance, the group demanded a ransom from GTA 6 studio Rockstar last month (though it turns out they didn't have all that much to leak in the end). Earlier this week, the hacker group also claimed it had successfully breached Nvidia's GeForce Now, alleging to have "pulled their entire database straight from the backend."
In the case of Canvas, ShinyHunters claim it stole the user records via the export features within the platform itself. That includes user APIs, DAP queries, and provisioning reports, according to Bleeping Computer.
According to Instructure, "the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts." This same issue apparently caused a similar breach earlier in April, and Instructure has chosen to temporarily shut down Free-For-Teacher accounts as a result.
Instructure also says, in response to this cybersecurity incident, that it "revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms."
Canvas got hacked? from r/UTSA
The company also "engaged a third-party forensic firm and notified law enforcement." The company adds, "Beyond the immediate response, we're hardening administrative access, token management, permissions, monitoring, and related workflows. The investigation may inform further improvements."
But it may be too little, too late—potentially exposing the data of minors is not a mistake parents will easily forget at the very least. As malware archivist vx-underground said on X, "The much larger issue however is the catastrophic damage ShinyHunters has done to Canvas both operational and reputational."
1. Best gaming chair: Secretlab Titan Evo
2. Best gaming desk: Secretlab Magnus Pro XL
3. Best gaming headset: Razer BlackShark V3
4. Best gaming keyboard: Asus ROG Strix Scope II 96 Wireless
5. Best gaming mouse: Razer Viper V4 Pro
6. Best PC controller: GameSir G7 Pro
7. Best steering wheel: Logitech G Pro Racing Wheel
8. Best microphone: Shure MV6 USB Gaming Microphone
9. Best webcam: Elgato Facecam MK.2
