Shinyhunters Extorts Instructure After Canvas Breach

shinyhunters breached Instructure last week and demanded payment or a data leak. The company owns Canvas, the learning management system used by 41 percent of higher education institutions across North America, so the attack reaches far beyond one vendor account.

Canvas users and schools

ShinyHunters claimed the intrusion affected nearly 9,000 schools worldwide and exposed the personal identifying information of 275 million people, including students, teachers and staff. For campuses that route coursework, grades and class messaging through Canvas, the immediate worry is whether those records can now be used to impersonate real users.

PAY OR LEAK

The group’s ransom message, published May 3 by Ransomware.live, used the line “PAY OR LEAK” and said Instructure should pay or face disclosure of several billions of private messages. ShinyHunters said those messages included personal conversations and other personal identifying information, and it told the company to reach out by 6 May.

Instructure and Tanium

Instructure said it has contained the attack, while late last week Canvas users started reporting disruptions to their authentication keys. Doug Thompson, chief education architect and director of solutions engineering for Tanium, said, “This breach follows a clear pattern we’ve been watching for the last 18 months” and warned that attackers are shifting toward the platforms that sit underneath thousands of institutions at once.

Thompson also said, “With access to real names, email addresses and even teacher-student messages, the next wave of phishing will not be generic.” That leaves campuses with a practical problem now: messages that look ordinary could be built from real course details and real conversations, which can make them harder for students and staff to dismiss.

The unresolved issue is whether Instructure will face publication of the data ShinyHunters claims to hold, or whether the company’s containment steps will prevent that next move.