Canvas breach spotlights cybercriminal appetite for student data

A major cybercrime gang’s hack of Canvas is highlighting how education technology providers have become attractive targets for cybercriminals, whose access to student records, login credentials and other sensitive data can create opportunities for fraud, identity theft, extortion and future intrusions.

ShinyHunters on Thursday claimed responsibility for a hack into Instructure’s Canvas platform that facilitates course materials and class management for thousands of institutions. An extensive document posted by the hackers and obtained by Route Fifty lists some 9,000 customers apparently impacted in the breach, including Georgetown, Harvard and Cornell universities. It’s not clear whether all victims listed were accessed, or what data may have been stolen.

As Instructure worked to restore services, the hackers appeared to launch follow-on attacks, while students flooded social media during final exam season with photos and videos showing compromised Canvas pages appearing upon login. ShinyHunters claims it accessed names, email addresses, student identification and private messages.

The hacking group said Saturday it would not comment further. An extortion message posted on affected sites says that Instructure has until May 12 to reach out to the hackers. ShinyHunters has since removed Instructure from their Pay-or-Leak portal and the company says Canvas functions have been restored.

Route Fifty has asked Instructure if it is negotiating with the group or has paid a ransom to prevent data from being leaked. 

The FBI is likely investigating the incident, according to two people familiar with the matter who requested anonymity to communicate their understanding of the government’s response to the breach.

An FBI spokesperson said on Friday that the bureau is aware of the compromise. 

“If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands. By receiving a message, that does not necessarily mean your personal information has been compromised,” their statement said. 

Hackers often exaggerate or fabricate their access to sensitive or personal information to prompt payment from victims, the FBI spokesperson added. “We encourage individuals to be cautious of unsolicited emails, calls, or texts claiming to be from your school, the [Learning Management System] provider, or law enforcement and to verify the contact through known channels before responding.”

Universities are a “treasure trove” of data and ransomware hackers know this, said Cynthia Kaiser, a former senior FBI cyber official. “At the same time, the openness that defines higher education can make these institutions more exposed than many other organizations.”

Kaiser, now vice president of the Ransomware Research Center at Halcyon, said that criminal hacker groups frequently obtain credentials from other intrusions and use them to carry out other hacks.

“You have to remember that groups like ShinyHunters, Lapsus$ and Scattered Spider often log in rather than hack in,” she said, referring to a slew of major criminal hacker gangs that have made headlines for their intrusions over the years. 

Any stolen data wouldn’t enable immediate financial theft, though it’s highly valuable for targeted phishing and social-engineering attacks, said Adam Marrè, a former FBI special agent and Chief Information Security Officer at Arctic Wolf.

“The biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate. Students, parents, and educators should stay alert for unexpected or urgent messages, avoid clicking unverified links, enable multi-factor authentication on email accounts and be cautious with any request for personal information,” he said.

The House Homeland Security Committee is investigating the matter, according to a letter sent Monday to Instructure CEO Steve Daly from Rep. Andrew Garbarino, R-N.Y., the panel’s chairman. He asked company executives to brief lawmakers and staff by May 21. 

Instructure said in a blog post that the unauthorized access involved information like usernames, email addresses, course names, enrollment information and messages. The company also “identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited.”

It’s not known how long it took for the hackers to craft the plan for the intrusion, but the fact that they carried it out during final exams “shows the level of planning that went into this attack,” said Damien Skeeles, a senior manager at Filigran, which sells open-source cybersecurity solutions.

“You wonder how much more planning went into it, and how many more acts there are to follow,” he said.