The ShinyHunters gang has claimed a second successive breach of Instructure, the supplier of the Canvas learning management system (LMS), mere hours after the company claimed the whole affair was over.
On April 25, the ShinyHunters cybercrime operation did what it’s been doing for years now: it took advantage of some large, well-connected organization’s exposed cloud infrastructure to access, steal, and then threaten to leak some huge trove of data. The old story followed a non-linear path this time, though. Instructure claimed the breach was done for, then ShinyHunters claimed a second attack, and meanwhile disruptive activity as of this posting is ongoing. All this as final exam week commences across the US.
Dark Reading reached out to Instructure to square its previous claims with accounts from students and teachers online. In a statement, the company acknowledged that it is experiencing an “ongoing security incident” thanks to a follow-on compromise of “free-for-teacher” accounts.
Did ShinyHunters Breach Instructure Twice?
Since its breach, public messaging from Instructure has emphasized its quick and diligent incident response (IR). The timeline circulated to customers suggests that it first discovered the intrusion four days late, on April 29, and immediately revoked the attackers’ system access. Yet on April 30, it had to take more steps to address “additional suspicious access.”
On May 2, chief information security officer (CISO) Steve Proud stated, “We believe the incident has been contained.” He cited a few steps taken to ensure the attackers couldn’t get back in, like patching and rotating keys. On May 6, the company reemphasized that “we are not seeing any ongoing unauthorized activity.”
These claims have been challenged by disaffected students and teachers online, who report that their education has been interrupted, and that they’ve been hit with ShinyHunters splash messages as recently as May 7. Some affected schools are now walking back earlier, more optimistic reports passed down from the vendor. And a new ShinyHunters ransom note is circulating, in which the hackers claim to have re-infected the company. The note offers affected schools the option to negotiate with them directly and pushes back its leak deadline from the previously reported May 6 to May 12.
Dark Reading cannot confirm any specific claims online, but one affected student sent Dark Reading screenshots of the newly circulating splash page, which he says interrupted him on May 7. Dennis Pomazanov, studying at Georgia Tech, recalls, “When I tried to view my grades, I was greeted by the ransom message instead of the normal Canvas page. At the time, I was also unable to use Canvas to contact professors or classmates about questions I had, which made the situation more frustrating.”
In a May 8 statement to Dark Reading, Instructure acknowledged what students like Pomazanov were experiencing. It reported that on May 7, it took Canvas offline, again, to contain the ongoing incident. “We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts,” a company spokesperson wrote, without detailing the exact nature of the vulnerability. “As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use.”
“Personally, I was lucky because I had already finished my finals and homework,” Pomazanov says, “but I know several friends who were still trying to study, finish assignments, or prepare for exams, and the outage made that much harder for them.”
Which Schools Were Breached via Canvas?
Instructure’s Canvas is one of the most ubiquitous software platforms in education today. It’s an online companion to classrooms, where students message their teachers and submit homework, teachers post assignments and post grades, etc. Industry analysts place Canvas’ marketshare in the LMS space at 47% among higher education institutions in North America, and 28% in K-12. It’s also used widely in adult professional education settings.
ShinyHunters claims to have stolen around 3.65TB of names, emails, student ID numbers — and, perhaps most interestingly, “several billions of private messages” between students and teachers — from just under 9,000 institutions, representing somewhere around 275 million individuals. Some back of the napkin math suggests that ShinyHunters left no Canvas customer untouched: in North America there are only around 4,000 accredited higher institutions, and around 10,000 K-12 schools using LMS’s.
Intrepid students and interested parties have visited ShinyHunters’ leak site and pulled its tally of its victims, which is now circulating online. The laundry list includes numerous North American higher education institutions and K-12 schools, plus educational institutions in Europe, Central America, and elsewhere abroad. It also includes major corporations like Amazon and Apple, healthcare institutions, and cities and states, which may be in reference to government organizations. Dark Reading did not independently download this list, but cross-referenced it with data reported by cybersecurity researchers, as well as publicly known information about Canvas’ user base.
Risks to Schools, Companies, and Minors
Public statements from Instructure and its customers have emphasized that while the attackers stole some personal information, some other particularly sensitive data like passwords, birthdays, and financial information may not have been among the trove.
If that’s the good news, the bad news is the sheer scope and variety of risks associated with the data the company lost. Unlike most data breaches, which affect certain kinds of people in certain ways, Canvas’ customers span the government, healthcare, and major business sectors, all of which are subject to their own legal and regulatory frameworks and follow-on risks. Most glaring of all, though, is that by compromising thousands of K-12 schools, criminals now have access to, and are threatening to leak, a massive amount of data belonging to minors.
“When a breach involves the personal data of minors, the severity and the stakes escalate significantly,” says Darren Guccione, CEO and co-founder at Keeper Security. “Unlike a compromised credit card or a rotated password, a child’s name, date of birth, institutional records and private communications cannot be replaced. That exposure follows them. For institutions and the students they serve, the consequences can persist for years through identity fraud, targeted social engineering and other scams long after the headlines fade.”
“The hard question this incident raises is about what the industry should expect from platforms that operate at this scale and steward this kind of data,” he says. “When a single vendor serves thousands of institutions globally, the security standard has to reflect that responsibility.”
