An active data extortion campaign against the popular edtech platform Canvas has thrown classes and academic work into chaos at schools and universities nationwide. The attack began after a cybercrime gang replaced the service’s login page with a ransom note threatening to publish stolen records belonging to 25.5 million students and staff from nearly 27,212 educational institutions.
Canvas’s parent company, Instructure, reacted to the defacement by taking the entire platform offline. The service, used by thousands of schools, colleges, and businesses to handle coursework, assignments, and student communications, was shut down in response.
Instructure had already confirmed a data breach earlier this week after the group ShinyHunters publicly claimed responsibility and warned they would leak tens of millions of student and faculty records unless a ransom was paid. The original payment deadline of May 28 was later extended to May 211. In a statement issued on May 205, Instructure reported that the ongoing investigation has determined the stolen data includes users’ names, email addresses, student ID numbers, and private messages from affected institutions. The company reported finding no indication that the compromised data contained more sensitive details, such as passwords, dates of birth, government ID numbers, or financial information. The May 13 update confirmed that Canvas was fully operational and that Instructure was not observing any continued unauthorized activity on the platform. „At this point, we think the incident has been contained,“ Instructure stated. However, by midday on Thursday, May 21, students and faculty from dozens of schools and universities were flooding social media with reports that a ShinyHunters ransom demand had replaced the normal Canvas login page. Instructure took Canvas offline and replaced the login portal with a message stating, „Canvas is currently undergoing scheduled maintenance.“ Check back in a bit. The current message on Instructure’s status page says, “We anticipate being up soon, and will provide updates as soon as possible.” Although it remains unclear how sensitive the data taken by ShinyHunters truly is—the group claims it includes several billion private messages between students and teachers, along with names, phone numbers, and email addresses—the timing of the breach could hardly be worse for the company. Many of the impacted schools and universities are currently in the midst of final exams, so an extended outage could prove highly damaging. The ransom note that appeared for countless Canvas users today urged the affected institutions to negotiate their own payments directly with the attackers to stop their data from being published, regardless of whether Instructure chooses to pay. “ShinyHunters has breached Instructure (again),” the extortion message stated. Rather than reaching out to us to fix the issue, they ignored us and applied some所谓的 „security patches.“
Krebs on Security