Instructure Confirms Data Breach Affecting Canvas Users

Key Takeaways

• Instructure confirmed personal data including names, emails, and student IDs was exposed in the breach
• ShinyHunters claims the attack affected nearly 9,000 schools and 275 million individuals
• Customers must re-authorize API access as Instructure rotates application keys

Instructure, the company behind Canvas, one of the most widely used learning management systems in education, has confirmed that a cyberattack exposed personal information of its users. The ShinyHunters extortion gang has claimed responsibility for the breach.

The Utah-based company disclosed the security incident on Friday, May 2. By Saturday, Instructure updated its statement to confirm that user data had been compromised.

“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.”

— Instructure official statement

Instructure says it has found no evidence that passwords, dates of birth, government identifiers, or financial information were accessed. The company has committed to notifying affected institutions if that assessment changes.

What Instructure Has Done So Far

The company is working with third-party cybersecurity experts and law enforcement on the investigation. As an immediate response, Instructure has deployed patches, increased monitoring, and rotated application keys.

The key rotation has a direct impact on customers. Organizations using Instructure's API must re-authorize access to receive new application keys. This step, while disruptive, is a standard precaution to ensure any compromised credentials become useless.

ShinyHunters Claims Massive Scale

ShinyHunters, a known data extortion group, has listed Instructure on its data leak site. The group's claims go far beyond what Instructure has confirmed.

According to ShinyHunters, the breach affected nearly 9,000 schools worldwide and exposed data on 275 million individuals. The group claims to have obtained over 240 million records tied to students, teachers, and staff.

The threat actor claims the stolen data includes student names, email addresses, enrolled courses, and private messages to teachers. ShinyHunters also alleges that Instructure's Salesforce instance was breached.

Data shared by ShinyHunters suggests the alleged dataset spans nearly 15,000 institutions across North America, Europe, and Asia-Pacific. BleepingComputer has not independently verified these claims, and Instructure has not commented on the threat actor's assertions.

The Vulnerability Question

ShinyHunters claims they exploited a vulnerability in Instructure's systems to gain access. According to the group, this vulnerability has since been patched.

Instructure has not publicly confirmed the attack vector or when the breach actually occurred. The company also has not stated whether it received extortion demands, which is typical of ShinyHunters' operations.

What Affected Institutions Should Do

Schools and universities using Canvas should take several immediate steps while waiting for more details from Instructure.

• Re-authorize API access as required by Instructure's key rotation
• Monitor for phishing attempts targeting students and staff using exposed email addresses
• Review any third-party integrations connected to Canvas
• Prepare communications for students and parents about the incident
• Watch for Instructure's updates on whether additional data types were compromised

The exposure of private messages between students and teachers is particularly concerning for institutions. Even if the messages contain no sensitive personal information, their release could create privacy and trust issues for schools.

ShinyHunters' Track Record

ShinyHunters is not a new player. The group has been linked to several high-profile breaches over the past few years, including attacks on Microsoft, AT&T, and Ticketmaster. Their typical playbook involves stealing data and demanding payment to prevent its public release.

If the scale of their claims is accurate, this would rank among the larger education sector breaches. Canvas serves K-12 schools, universities, and corporate training programs across more than 100 countries.

Frequently Asked Questions

What data was stolen in the Instructure breach?

Instructure has confirmed that names, email addresses, student ID numbers, and user messages were exposed. The company says passwords, dates of birth, government IDs, and financial information were not involved based on current findings.

How many schools were affected by the Canvas data breach?

ShinyHunters claims nearly 9,000 schools were affected, though Instructure has not confirmed this number. The threat actor's data suggests institutions across North America, Europe, and Asia-Pacific were impacted.

What should Canvas users do after the Instructure breach?

Users should watch for phishing emails using their exposed email addresses. Institutions need to re-authorize API access and monitor for Instructure's updates on whether additional data types were compromised.

Who is ShinyHunters?

ShinyHunters is a data extortion group linked to breaches at major companies including Microsoft, AT&T, and Ticketmaster. They typically steal data and demand payment to prevent public release.

Were Canvas passwords compromised?

Instructure says it has found no evidence that passwords were accessed in the breach. However, the investigation is ongoing, and the company has committed to notifying institutions if that assessment changes.

Source: BleepingComputer