Instructure, a cloud-based LMS Canvas company was hit by a massive data attack. Ransomware gang ShinyHunters claimed responsibility for the attack, saying that it had stolen data related to 280 million students, teachers, and school staff.
100s of GBs data leaked
The data breach accounts for hundreds of gigabytes, possibly leaking Canvas users’ email ids, private messages, and names.
Instructure revealed in May that it was hit by a data breach. The Canvas incidents of 8,809 universities, educational platforms, schools were impacted by the attack. ShinyHunters said that the numbers range between tens of thousands to several millions per institution.
It is concerning that a lot of K-12 students’ data has been leaked. If your child has been affected by the data breach, Malware Bytes can help in what to do next and how to stay safe.
Canvas compromised
Various students who tried using Canvas after the cyberattack received the message from ShinyHunters blackmailing to leak the data if Instructure did not contact the hackers by May 12. Canvas was shut down offline for various students following the incident, but it is now available for most users.
GTA 6, Studio Rockstar were blackmailed too
ShinyHunters has been killing it this year, with only high profile targets in its track records. The group asked for a ransom from GTA 6 (a video game) Studio Rockstar in April. But in reality, it was a hoax demand as the hackers did not have anything important/worthy to leak.
Nvidea Geforce allegedly hacked
But recently, the group allegedly claimed responsibility for the Nvidea’s GeForce Now breach, claiming to have “pulled their entire database straight from the backend."
Shiny hunters all over the place
In the Canvas incident, ShinyHunters allegedly stole user records through exposrting features inside the platform. This consists of DAP queries, APIs, and provisioning reports, according to Bleeping Computers. “The unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” Instructure said.
It also added that it “revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms."
The impact
Instructure also “engaged a third-party forensic firm and notified law enforcement. Beyond the immediate response, we're hardening administrative access, token management, permissions, monitoring, and related workflows. The investigation may inform further improvements.”
However, it might be too little, too late—parents are unlikely to overlook the possibility of disclosing their children's information. The much bigger problem, though, is the disastrous harm ShinyHunters has caused to Canvas's operations and reputation, as malware historian vx-underground stated on X.
