Instructure, the company behind Canvas, said on Monday it reached an agreement with an unauthorized actor after a breach that exposed data tied to thousands of schools and universities, including about 275 million records.
KEY FACTS
- Impact The incident involved data from nearly 9,000 organizations.
- Volume Attackers are said to have taken about 3.65TB of data.
- Response The company said the stolen data was returned and digital confirmation of destruction was provided.
- Scope Instructure said course content, submissions and credentials were not compromised.
Instructure said the agreement covers impacted customers and that none of its customers will be separately extorted as a result of the hack. The company said it made the deal because of concerns about the potential publication of data.
The disclosure follows a late-April attack attributed to the ShinyHunters extortion crew that targeted Canvas, a web-based learning management system used by schools and universities. A second wave of activity was detected on May 7, when login portals at about 330 institutions were defaced with extortion messages and the attackers set a May 12 deadline for ransom talks, according to Instructure’s incident update.
Instructure said the attackers used an unspecified vulnerability related to support tickets in its Free-for-Teacher environment to gain access and exfiltrate records that included usernames, email addresses, course names, enrollment information and messages. It temporarily shut down Free-For-Teacher accounts and said it revoked privileged credentials and access tokens, rotated internal keys and added security controls.
The company said it is working with expert vendors on forensic analysis and a review of the data involved. It also said it has not disclosed the vulnerability itself and that it informed customers the stolen material did not include course content, submissions or credentials.
WHY IT MATTERS
The breach could give attackers enough personal context to target staff, students and parents with phishing or impersonation campaigns. Schools and universities using the platform may need to warn users and watch for follow-on fraud.