Canvas Data Breach: Schools Negotiated Directly With Hackers

Key Takeaways

• ShinyHunters stole 6.65 terabytes of data from nearly 9,000 schools using Canvas
• Some schools contacted hackers directly to negotiate and prevent data release
• Canvas is now fully operational after Instructure shut down the exploited Free-for-Teacher service

Schools Took Matters Into Their Own Hands

Some schools and universities did something unusual after the Canvas data breach in April. They reached out directly to the hackers.

A source familiar with the matter told Reuters on Friday that affected institutions individually sought to deal with the cybercriminal group ShinyHunters to prevent their students' data from being released. This happened after ShinyHunters claimed Canvas' parent company, Instructure, had "not even bothered speaking to us."

The stolen data included student names, email addresses, student ID numbers, and private messages between students, teachers, and staff. For schools preparing for end-of-year assignments and tasks, the timing was terrible.

How the Breach Unfolded

ShinyHunters is not new to this game. The group has a track record of data theft and extortion campaigns targeting major global companies. On May 5, they posted a message complaining that Instructure had ignored them, adding that their ransom demand "was not even as high as you might think it is."

The hackers included a list of roughly 1,400 individual schools and districts in their post. They invited these institutions to contact them directly to negotiate and prevent their data from being published.

The Attack Vector: Free-for-Teacher Service

An Instructure spokesperson revealed Friday that the hackers exploited a vulnerability in the company's Free-for-Teacher service. This feature allows non-Canvas users to try certain parts of the platform without a full account.

“The hackers made changes to pages that appeared when some students and teachers were logged in.”

— Instructure spokesperson

On May 7, students at multiple schools tried to log into Canvas and found a message from ShinyHunters with a link to the list of affected schools. Instructure responded by pulling Canvas, Canvas Beta, and Canvas Test offline. They restored access to Canvas four hours later.

The company has temporarily shut down the Free-for-Teacher service. According to the spokesperson, this "gives us confidence to restore access to Canvas, which is now fully back online and available for use."

Why Schools Might Negotiate With Hackers

The decision by some schools to contact hackers directly reflects a difficult reality. When a vendor is not engaging with attackers, institutions may feel they have no other option to protect their students' data.

Canvas is widely used in education. Schools rely on it to facilitate class assignments, share information, and enable communication between students and faculty. A breach of this scale puts sensitive information about minors at risk.

Student newspapers across the country reported widespread disruption this week. End-of-year tasks, assignments, and communications were all affected. For graduating students in particular, the timing could not have been worse.

What's at Stake

The compromised data is a privacy nightmare. Student names and email addresses are bad enough. But the breach also exposed private messages between students, teachers, and staff. These conversations could contain sensitive academic, disciplinary, or personal information.

Student ID numbers add another layer of risk. These identifiers are often used across multiple school systems and can be difficult to change. Unlike a password, you cannot simply reset a student ID.

Current Status

Instructure says Canvas is now fully operational. The company's Chief Information Security Officer Steve Proud acknowledged the scope of the breach in a May 2 post on the company's support website. By May 6, Instructure declared the situation resolved.

The Free-for-Teacher service remains offline. This removes the attack vector that ShinyHunters exploited, though it also removes a feature that helped educators evaluate the platform.

It remains unclear how many schools actually negotiated with the hackers, what terms were discussed, or whether any payments were made. The source who spoke to Reuters did not provide these details.

Frequently Asked Questions

What data was stolen in the Canvas breach?

ShinyHunters stole user names, email addresses, student ID numbers, and private messages between students, teachers, and staff. The total haul was 6.65 terabytes from nearly 9,000 schools.

Is Canvas safe to use now?

Instructure says Canvas is fully operational as of May 6. The company shut down the Free-for-Teacher service that hackers exploited to prevent further attacks.

Who is ShinyHunters?

ShinyHunters is a cybercriminal hacking group known for data theft and extortion campaigns against major global companies. They have a track record of stealing data and demanding ransom to prevent its release.

Why did schools negotiate directly with hackers?

Some schools reached out to ShinyHunters after the hackers claimed Instructure had not contacted them. With student data at risk and the vendor not engaging, schools felt they had to act on their own.

How did hackers breach Canvas?

The attackers exploited a vulnerability in Canvas' Free-for-Teacher service, which allows non-users to try parts of the platform. This service is now temporarily shut down.

Source: Tech-Economic Times / ET