Instructure, the parent company of the online learning platform Canvas, has confirmed two incidents of unauthorized access within a two-week period. This breach is linked to the cybercriminal group ShinyHunters, which claims to have stolen data from more than 275 million students, teachers, and staff across nearly 9,000 educational institutions globally.
Details of the Breach
The security incident began on April 29, when Instructure detected unauthorized activity in Canvas and promptly revoked the intruder’s access. Following this, on May 7, the company identified further unauthorized actions related to the same incident. ShinyHunters reportedly exploited a vulnerability in the Free-for-Teacher version of Canvas, leading to the theft of usernames, email addresses, course names, enrollment details, and messages.
Impact on Users
As a result of the breach, Canvas was taken offline temporarily, disrupting access for thousands of educational institutions during critical periods such as final exams and Advanced Placement testing. Instructure has stated that core learning data, including course content and submissions, was not compromised. However, the scale of the data theft is significant, with ShinyHunters claiming to have acquired 3.65 TB of data.
Response and Mitigation Efforts
In response to the breach, Instructure has implemented several security measures. These include shutting down Free-for-Teacher accounts, revoking access tokens, rotating internal keys, and enhancing monitoring across its platforms. The company has also engaged CrowdStrike for forensic analysis and has notified the FBI and the US Cybersecurity and Infrastructure Security Agency.
Negotiations with Cybercriminals
In a surprising turn, Instructure later confirmed that it reached an agreement with the unauthorized actor involved in the incident, resulting in the destruction of the stolen data. The company stated, “We received digital confirmation of data destruction (shred logs),” and assured that no customers would face extortion related to this breach. This admission raises questions about the ethics of paying ransoms, a decision that Instructure appears to have made to protect its users.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
