Canvas Hack: Instructure Pays to Delete Stolen Data
Key Takeaways
- Instructure reached a deal with hackers to delete data stolen from Canvas, though experts doubt the data is truly gone
- ShinyHunters claimed to have breached 9,000 schools and accessed data on 275 million individuals
- Stolen data included student IDs, emails, names, and messages, but not passwords or financial information
Instructure, the company behind the widely used Canvas learning management system, announced it reached an agreement with hackers to delete data stolen in a cyberattack that disrupted finals week for students across nearly 9,000 schools worldwide.
The company did not disclose whether it paid a ransom. But former FBI Cyber Division deputy director Cynthia Kaiser said the reported deal suggests payment was likely made.
“What victims must understand is that payment does not end the threat. Stolen data will be used against clients and users for as long as it remains profitable to do so.”
— Cynthia Kaiser, Senior Vice President, Halcyon Ransomware Research Center
What ShinyHunters Stole
A hacking group called ShinyHunters claimed responsibility for last week's breach. The group threatened to leak data involving 275 million individuals if schools did not pay a ransom by May 6. When the deadline passed, ShinyHunters extended it, indicating some schools had started negotiating.
This isn't ShinyHunters' first attack on Instructure. The group was behind a smaller breach of the company last year.
Steve Proud, Instructure's chief information security officer, said the breach appeared to involve student ID numbers, email addresses, names, and messages on the Canvas platform. The company found no evidence that passwords, dates of birth, government identification, or financial information were compromised.
The Deal and Its Limits
Instructure said it received "digital confirmation" that the hackers destroyed remaining copies of the data. This confirmation came in the form of "shred logs." The company was blunt about the limits of this assurance.
"While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," Instructure wrote in its online post.
Cybersecurity experts remain skeptical. There's no technical mechanism that forces criminals to honor deletion promises. Shred logs can be fabricated. And data can be copied to offline storage before any deletion occurs.
Chaos During Finals Week
The timing of the attack caused maximum disruption. Instructure temporarily took Canvas offline while investigating, locking out students and faculty during finals. Many students rely on Canvas for submitting assignments, accessing course materials, and communicating with instructors.
A lawsuit filed last week in federal court in Utah alleged Instructure did not do enough to protect the platform and made itself "easy prey for cybercriminals." The suit claims the company failed millions of students who depend on the platform.
What Happens Now
Instructure said it is working with "expert vendors" to conduct a forensic analysis, strengthen its systems, and complete a "comprehensive review of the data involved."
For affected users, the immediate risk appears limited. No passwords or financial data were taken. But email addresses and student IDs can fuel phishing attacks. Students and faculty at affected schools should watch for suspicious emails claiming to be from their institution or Canvas.
Related security news about platform vulnerabilities
Logicity's Take
Frequently Asked Questions
Was Canvas data actually deleted by hackers?
Instructure says it received 'shred logs' as confirmation. But cybersecurity experts note there's no way to verify that criminals truly deleted all copies. Data can be stored offline or shared before any deletion occurs.
What information was stolen in the Canvas breach?
According to Instructure, the breach involved student ID numbers, email addresses, names, and messages on Canvas. The company says passwords, dates of birth, government IDs, and financial information were not compromised.
How many people were affected by the Canvas hack?
ShinyHunters claimed to have accessed data on 275 million individuals across nearly 9,000 schools worldwide.
Who is ShinyHunters?
ShinyHunters is a hacking group that has been active for several years. They previously breached Instructure in a smaller attack and have targeted numerous other organizations with ransomware and data theft.
Should Canvas users change their passwords?
Instructure says passwords were not compromised in this breach. However, users should remain alert for phishing emails that might use stolen information like names and email addresses to appear legitimate.
Need Help Implementing This?
Source: mint
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
Sid Meier's Railroads Deserves a Modern Remake
PC Gamer's archive dive resurfaces a 2009 love letter to Sid Meier's Railroads!, the 2006 train business sim that was 'cruelly ignored upon release.' Nearly 20 years later, the game still has 108 concurrent Steam players, and fans argue it's overdue for the same remake treatment Firaxis gave other Meier classics.
5 Hands-Free Work Lights That Make Repair Jobs Easier
Holding a flashlight in your teeth while working under a sink is nobody's idea of fun. These five cordless work lights from Ryobi, Milwaukee, DeWalt, Makita, and Ridgid hang, stick, or prop themselves up so both hands stay free for the actual repair.
Samsung Strike Looms: Union Rejects Pay Deal After Talks Fail
Samsung Electronics and its South Korean labor union have failed to reach a pay agreement after marathon negotiations. The union plans an 18-day strike starting May 21, threatening production of AI chips and other semiconductors.