Instructure, the company behind the widely used Canvas learning management system, is facing increased pressure from cybercriminals who claim to have stolen a substantial amount of sensitive data. ShinyHunters, a known cybercriminal group, has threatened to leak this data unless a ransom is paid, adding urgency to the ongoing investigation into the prolonged cyberattack.
The incident caused significant disruptions late last week when Instructure took Canvas offline due to additional malicious activity, including the defacement of the platform’s login page. By Friday, Instructure reported that Canvas, a central platform for educational institutions, was back online and fully operational. The group behind the attack has demanded an undisclosed ransom from Instructure, though the company has not confirmed the existence of such a demand.
Instructure Addresses Cyberattack and Data Breach Concerns
Instructure CEO Steve Daly issued an apology over the weekend for inconsistent communication and a deficient public response to the cyberattack. He acknowledged the disruption experienced by users and admitted the company did not provide the expected level of consistent communication. The attack, which is still under investigation with assistance from the cybersecurity firm CrowdStrike, exposed usernames, email addresses, course names, enrollment information, and messages, according to Daly. However, he stated that course content, submissions, and user credentials were not compromised.
The widespread disruption has raised concerns across the education sector, with cybersecurity experts closely monitoring the situation. The cyberattack has also drawn the attention of lawmakers. On Monday, the House Homeland Security Committee sent a letter to Daly requesting a briefing by May 21 to discuss the details of both intrusions, the nature and volume of data accessed, and Instructure’s response measures.
Timeline and Nature of the Vulnerability
Instructure’s account of the attack’s timeline has evolved. The company stated it first detected unauthorized activity on April 29 and immediately revoked the attacker’s access. However, researchers not directly involved in the investigation suggest ShinyHunters may have gained access a few days earlier. The subsequent malicious activity on May 7, which involved defacing public login pages, was confirmed by Instructure to be linked to the same incident.
Instructure revealed that the unauthorized actor exploited an issue related to its Free-For-Teacher accounts, which was the same vulnerability that led to the initial unauthorized access. In response, the company made the decision to temporarily shut down these Free-For-Teacher accounts. Instructure has not provided details about the specific vulnerability or how attackers infiltrated its systems.
Instructure has implemented several security measures, including revoking privileged credentials and access tokens, rotating internal keys, restricting token creation, and deploying additional security controls and monitoring. The company asserts that Canvas is now fully operational and safe to use, with CrowdStrike finding no evidence of current attacker access to the platform.
Despite Instructure’s assurances, some users are still experiencing intermittent access issues as school districts work to restore the platform in phases after conducting their own internal security checks. This incident highlights the critical role of third-party vendors in an organization’s overall cybersecurity posture and the cascading effects a breach can have across an entire sector.
The group ShinyHunters, known for complex data extortion schemes, has previously targeted major cloud platforms. While their claims of compromise are often accurate, the actual scale and type of data stolen can be exaggerated. Cybersecurity professionals generally advise against paying ransoms, but acknowledge that companies must weigh various factors, including user data security, when responding to such threats.
Instructure has not disclosed its strategy for preventing the leak of the claimed stolen data. CEO Steve Daly pledged to improve communication and provide a summary of the forensic report, acknowledging that the company misjudged the balance between fact-finding and providing timely updates. Rebuilding trust, Daly stated, will require consistent action and honest communication from Instructure moving forward.