Instructure breach: ShinyHunters claims it stole private messages and data from 275 million teachers and students
 |
| ShinyHunters says it's behind a recent data breach at edtech giant Instructure. Credit: Piotr Swat/SOPA Images/LightRocket via Getty Images |
ShinyHunters have struck once again. This time, the hacker group says it has breached systems belonging to one of the biggest educational tech companies.
Edtech giant Instructure, the company behind the popular Learning Management System (LMS) Canvas, announced that it was experiencing a service disruption on April 30.
The next day, on May 1, the company confirmed that it experienced a "cybersecurity incident perpetrated by a criminal threat actor."
Instructure largely addressed the issues by May 2 and shared that it would continue to monitor its platforms and investigate how the cyberattack occurred. The company said it patched its security system, revoked certain credentials and access tokens, and rotated API keys "out of an abundance of caution."
ShinyHunters, the now-infamous hacking collective known for social engineering and ransomware, claimed responsibility and uploaded 3.65 terabytes of related stolen data to its website on May 3, as reported by SecurityWeek.
What data was stolen?
Instructure says that passwords and other private credentials were not stolen in the breach.
However, the affected data reportedly includes users' names, email addresses, student IDs, and private messages exchanged on the platform.
According to ShinyHunters, the stolen data is associated with 275 million users at nearly 9,000 schools around the world. These users include students, teachers, and staff.
ShinyHunters also claimed that billions of private messages between users, including students and teachers, were stolen as well, according to Bleeping Computer. The group says Instructure's Salesforce instance was also breached, and related data was stolen.
ShinyHunters have been involved with several high-profile data breaches recently. Companies ranging from the bakery chain Panera Bread to the security firm ADT have all experienced data breaches tied to the group. Anime streaming service Crunchyroll and the dating app Bumble have been breached by ShinyHunters as well.
Last month, ShinyHunters were also behind the breach into Rockstar Games, the video game developer behind the GTA series, including the long-awaited Grand Theft Auto VI.
All of these ShinyHunters data breaches have occurred since the beginning of the year.
Want to learn more about getting the best out of your tech? Sign up for Mashable's Top Stories and Deals newsletters today.
Topics Cybersecurity
Looks really bad. I read this Canvas breach affects something like 8000-9000 schools? Up to 275 million users.
ReplyDeleteFrom instructure's status page (people who made Canvas): https://status.instructure.com/
such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.
So we all have our names, emails, student IDs, and our Canvas messages and god knows what else uploaded up there publically. So much for FIPPA and "sensitive student data" I guess. But I guess it could've been worse. It would've been really bad if the breach included stuff like our SIN, birth date, or any other PIID (like the stuff we keep on workday) since that'd make impersonation a lot easier.
Though apparently that Canvas breach was resolved a few days ago. This one seems new. Seems like if you were using Canvas at all recently, you should log out and maybe change your password.
If you are logged in, please log out immediately and do not log back in until you are notified by UBC IT that is safe to do so. If you have logged in after 12 p.m. PT on Thursday, May 7, please change your CWL password immediately and reach out to security@ubc.ca.
Trying to think about how logging in or being logged in could possibly be an issue
DeleteCould be just a safety precaution. The breach could also be a scenario where the attackers got access to session cookies, basically allowing them to hijack any logged in user and then allowing them to do anything the user could do (such as obtaining very personal info, impersonation, modifying or deleting course shells (if professor), changing the account password, etc.).
DeleteSome of these things (like if your account details got changed by the attacker or modified course shells) can get recovered by IT. But leaked info or impersonation attacks can't really be retroactively fixed.
Logging out of your account deletes the session. And changing your CWL password probably logs you out of all devices.
Or, like u/undercoverknows https://www.reddit.com/user/undercoverknows/ sorta suggested, if the Canvas server is truly hijacked, they could make the server send a compromised version of the login page that tracks what you entered into the login page (allowing them to capture the password you entered).
We'll probably find out over the next few days what the damage is.
Could be set up to capture password now? Giving access to you student profile.
DeleteIs Workday affected? I am encounting the technical issue that I am unable to drop a summer course in Workday, there is no drop option in the action column. Anyone else had the similar issue in Workday?
DeleteWhat is the name of this email? I can't find it. Was I the only one who didn't get it? Did anyone else get the email?
ReplyDeleteMy friends who transferred to UBCV received the email and sent it to me in case I didn’t already know, but both campus UBC Instagram accounts have been making it clear that Canvas is down
DeleteIs Workday affected? I am encounting the technical issue that I am unable to drop a summer course in Workday, there is no drop option in the action column. Anyone else had the similar issue in Workday?
ReplyDeleteThis comment has been removed by a blog administrator.
DeleteThanks. I found the cause, and get it resolved.
DeleteThis comment has been removed by a blog administrator.
ReplyDeleteMy summer class prof has already sent out an email about this and they’ve put together a OneDrive folder with the readings, zoom link, and whatnot
Deletebruh i got two finals due this weekend will they be cancelled
ReplyDeleteInstructure Canvas - the hosted provider for many educational institutions got hacked. This is not a Nova issue. This is not even a VCCS issue. MIT, Berkeley, and many, many, many others are also affected.
ReplyDeletelmao literally as i was trying to submit my calc 2 final
ReplyDeleteLMFAO I just finished my final exam and turned it in and refreshed my page after turning it in
ReplyDeletethey hit almost 9000 schools with this hack
ReplyDeleteBro I have a project due 😭
ReplyDeleteI think since Drexel doesn’t log in directly through the Canvas login the passwords are more likely to be safe anyway.
ReplyDeletePasswords, very likely safe. Unless they were using Canvas for continuing Ed - in which case they may use local auth so they don’t have to create CE students in AD.
DeleteI think the big thing is going to be the private message content.
I won't really care if the public knows that I got an A on some discussion questions
DeleteComment deleted by user
ReplyDeleteFinals haven't happened yet...wise up.
DeleteAnyone need some stress relief for finals?
ReplyDeleteThis is impossible. Surely AI, backed by trillions of dollars of capital investment and giant, energy guzzling data centers every five miles, can stop little human hackers.
ReplyDeleteI think the AI data centers are currently being used to make awful memes and commercials.
DeleteI’m sorry but how bored do you have to be to hack canvas
ReplyDeleteStudent data is probably pretty valuable depending on what is on there, especially if it contains class content like slides/books/etc.
DeleteAlso, it could be foreign countries looking for information.
So there’s a scam where people sign up for college and register for all online courses but then ghost the classes. It’s about getting a student loan check sent to you and then never paying it back. Maybe the data breach had something to do with that?
DeleteUr reading too much into it
DeleteLMAOOO fr
DeleteAre we on the list my connection is too slow to check rn.
ReplyDeleteOnly two schools have been confirmed, one in Michigan(?) and one in Tennessee. But it looks like 8,800 schools and 253,000 people are affected. So probably.
DeleteBut can’t change grades, pathetic
ReplyDeleteSweet, i'll be excited to get my check for $2.28 in six years from all of my private and confidential information landing on the dark web.
ReplyDeleteHey man, at this rate, those $2 checks gonna start adding up.
DeleteDon't worry, inflation will still make the lot of them worth about as much as a single item off a fast food value menu
Deletehaha. Truth. It is another level of existential despair to realize that your entire lifes data is barely worth a Jr Bacon Cheesburger.
DeleteI have 5 so far, I can soon afford one meal.
DeleteWhat if it is paid out in Trumpcoin?
DeleteWell the bright side is if you're a student today you'll be drowning in debt years later in our fascist hellscape so there won't be anything of value for bad actors to steal :)
Deletecould potentially use that info to take out even more predatory student loans?
DeleteYou’ve been getting checks?? I’ve just been getting 6 months free for useless credit monitoring bullshit…
Deleteagain
DeleteRight?!
DeleteSo thats why I couldn't get in today.
ReplyDeleteThey're just fucking over so many students and teachers literally right at finals time.
My kid just got an automatic 100% on his final because of it so he’s happy lol
DeleteLucky... My class took our final last week, and this week we have to complete a "managerial accounting internship simulator" that takes 15 to 20 hours... I was working on it today and it timed out. Couldn't get back into Canvas to reload. Checked my email and one email alerted me to the worldwide security breach/data leak and another said Canvas is down until further notice. I emailed the professor who then responded to the entire class, "Sorry for the inconvenience, but the good news is that you can complete the final simulator project using this link." 😑
DeleteEdit to add: I saw reports saying it was back up, but it's still down for my school. -UPDATE- Its back up again.
You're school didn't have the common courtesy to send an alert?
DeleteUnless they sent something to my student email I dont know how else they would have alerted me, with Canvas being down at the time.
DeleteTL;DR:
ReplyDeleteOver 7,500 schools affected across the world (not just North America), including K-12 and colleges. More than 275 million records were stolen and ransom demands were made. Stolen data is believed to be emails, phone numbers, names, and student IDs. Private messages may also have been leaked. SSNs and financial data is likely safe.
Other sources I've found suggest that Instructure may have paid the ransom already. The college I'm in is showing it as "down for scheduled maintenance" and I expect this to continue into tomorrow at least.
The ShinyHunters group claimed responsibility for the attack.
Actionable stuff: turn on MFA where you're able, change passwords, and freeze your credit reports if they aren't already (it's free). Yeah, they probably didn't breach financial data, but you should freeze your credit anyway since it's always a matter of time.
If your financial data and special were canvas you were really fucken up lol
DeleteI would think moreso people that re-use passwords for the sites that hold that data is what the person was suggesting
DeleteFortunately my canvas password is unique to every other password I have because my school made sure to make me set up a weird password.
DeleteWould not be surprised if financial aid data is in canvas or connected to it
DeleteWould be weird if it was. I’ve been to 4 colleges that used canvas and it’s just a platform for assignments and grading. Like a little social media set up for professors and their students to engage with eachother and the content the professors put out
DeleteAh true. I was a blackboard admin and it all sort of depends on what’s enabled. The big thing would be health/ada stuff, and commentary/attendance feeding into fin aid approval. I guess I would be concerned if the hack of instracture reveals more data with being connected to other systems at campuses. While generally the data would flow one way out of an lms, I have no idea how ransomware/cyber attacks work and if the hack goes beyond the system itself. All speculation. And I hope this is just me doing tinfoil
DeleteTends to be from my understanding of a random attacks is it takes control and locks you out of your accounts and data until you pay up
DeleteYou would be surprised what the olds and the youngs will send over a platform. I am 100% theres more than one teacher that had their tax documents in canvas somehow lol
DeleteWhen I was taking tax classes we had a lot of tax documents in canvas. So facts. But also. Hypothetically correct is best corrext
DeleteI graduated last year and in hindsight am so glad I was lazy af and ignored putting all my personal info on canvas or any other related university services when the university asked me to and have mfa enabled. Also they dont have access to any payment info or such iirc just whatever is available on canvas.
DeleteOh no. Letting data accumulate within a single data structure of a single supplier who could’ve guessed…
ReplyDeleteBiologists everywhere:
https://media3.giphy.com/media/v1.Y2lkPTc5MGI3NjExMnBiY3pxOWEycjZ6NjR0NnZpMHk4dW1qNDBnbHNiOW5xOXNkY2U5eCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/jWiQ6oYjuyAHZ4wsVR/giphy.gif
(Jeff Goldblum can chastise me anytime)
DeleteBut yeah, Canvas and D2L and similar…. Universities need to stop spending gobs of money on these substandard, insecure vendors’ products.
Exactly (both points).
DeleteComment deleted by user
ReplyDeleteeLearning and Blackboard users party
DeleteExceedingly rare blackboard W
Deletefirst one recorded actually
DeleteSpaghetti monster reference… nice.
DeleteRamen
DeleteCan they delete the student debt database next?
ReplyDeleteIt is quite disgusting to me that hackers will go after universities and hospital systems when there is such a wealth of worthier targets.
DeleteBuuuuut I guess you go where the security isn’t when you’re functionally amoral.
After the Alberta government gave away our data to separatists, getting violated like this doesn't even bother me any more. I expect this shit from hackers, not the fucking government.
ReplyDeleteNo one knows the plan for finals at my college now :<
ReplyDeletemore time to study!
DeleteIt’s not just nationwide in America, it hit Australian schools too lol
ReplyDeleteMy essays! My discussion posts! Holy fuck.
ReplyDeletePlease read them
The article did not disclose that student’s grades are on these platforms, as well as most of the course content for classes, which could be sold to AI farms. Student messages also contain private info like if they fell ill and missed class.
ReplyDeleteI think the real intel with this situation is how very unprepared users are to deal with the situation. I currently have students and faculty emailing me every few seconds apparently with no knowledge of the hack which happened on Monday. They didn’t pay any attention to the news between then and now, it seems. God help them if this is their relationship to news if there’s an actual emergency like a weather event or war.
ReplyDeleteCanvas just came back up per the CNBC update OP'S link.
DeleteWill anyone learn any lessons from this? Probably not.
How insulated people are from what happens around them is terrifying.
Someone should make a canva course covering the lessons to be learned from this.
DeleteTo be fair, May is often when finals are scheduled (end of spring quarter). No one's watching the news when they're finishing projects and getting ready for finals.
DeleteMy school was good about sending out emails, at least, while I was enrolled. If a water main needed repair or there was a weather event, we'd get an email and often a text.
Were they notified by e-mail of the hack? Did you notify them of the hack?
DeleteAm I the only one who saw "canvas hacked",and hoped for grade improvements for everyone??
ReplyDeleteWell, they already got my kid’s data last year when they hacked our Children’s Hospital records for ransom. Now they have his Canvas info too. And so it continues…
ReplyDeleteI’m sorry. They hacked a children’s hospital in our area a few years back and got my son’s as well.
DeleteWe need hackers with an ethical framework, damnit.
You know, if a company like Palantir wanted to sell intelligence analysis of data like this with plausible deniability for the hack, they'd have to release all the data publicly...
ReplyDeleteSurely there are better places to hack in
ReplyDeleteSon of a bitch
ReplyDeleteCanvas? Is that the same MyCourse?
ReplyDeleteOh, so this is why Canvas was down last night.
ReplyDeleteDid the Proctorio extension get breached as well? Curious if their proctored videos of my bedroom are now out there.
ReplyDeleteI don't think it did, but I was never a fan of having to install what's essentially a rootkit just to take my exams. I'd rather drive to a testing center or something.
DeleteSigh. Why though, aren’t there piles of pedophiles that could be jacked into?
ReplyDeleteChurch websites are notoriously lax in security
DeleteI'm in higher ed. Worst computer issue I've ever seen. My question: How do we know that grades haven't been changed? That would be a hack.
ReplyDeleteShort answer, we don't.
DeleteLonger answer, I'm under the impression that Canvas is just the system for discussions, quizzes, and initial grades. I'd hope that official grades are stored on another system with better security and redundancy. Recent events make me question that, though. The attackers are probably after data they can ransom off and make a profit from. Grades are probably pretty low on that pole.
Nope. I use it. It is the repository for class grades. At the end of the semester you open the University grade system. My point is that Canvas has all the test, assignment etc grades. Mess with that and you have no idea what anyone did. There isn't a paper copy
DeleteThe real problem is all the internal emails that is being threatened with being leaked. Student/teacher emails, etc could be an issue
I wonder what certain people could do with private data of an entire generation of students over the next 20-30 years. Keep a database of blackmail targets?
Deletehard to believe that the world has just settled on corporations paying ransoms - really the best we can do? 😳 - tax free business model for hackers rewarded for their crimes :(
ReplyDeleteIts better than NDIS
DeleteShows how inept the system is if they pay off criminals rather than bullet proof the system.
ReplyDeleteHow about making paying a ransom to one of these hackers a criminal offence. If hacked and blackmailed then it must be reported to the police and they take over.
ReplyDeleteEvery time we pay a blackmailing hacker it'll encourage 10 more to target OZ and then everyone is losing here.
spot on!
DeleteThats not going to get your data back.
DeleteAuthorities are useless.
True but shoving the problem onto others by paying doesn't help the country. So YES a few who did not manage their data will suffer but we will be less of a target.
DeleteInstead of investing in Ciber security now they paid 13 million to hackers
ReplyDelete100%
DeleteEveryone loves the ‘should’ve invested in cybersecurity’ line, but most of the big breaches lately haven’t come through the front door, they’ve come through third‑party vendors doing sweet FA to secure their own systems.
DeleteYou can spend millions hardening your own network, but if a partner is running 2026 infrastructure on 2012 security practices, congratulations: you’ve just inherited their vulnerabilities.
Paying the ransom isn’t a flex, it’s a symptom. The real problem is the supply‑chain security gap that keeps letting attackers stroll in through someone else’s unlocked window.
They support terrorism
DeleteMaking these type of records or any industry sensitive data available online is just asking for trouble, why is it not isolated internally, and not subject to online hacking.
ReplyDeleteWhat happens the next time someone else does it?
ReplyDeleteA warning to others.
So now we are rewarding the criminals? WTF
ReplyDeleteAnd what happens if they pay the ransom and the crims keep the data...and then ask again for more money....we are flipping stupid.
ReplyDeleteNow offer them a job so it wont happen again if they are that good.
ReplyDeleteqld lnp proven soft on crime, covering up ministers affairs, watering down of e bike legislation, and now paying money to criminals to fix their incompetence what next?
ReplyDeleteHackers now retiring to the French Riviera , nice work if you can get it.
ReplyDeleteNow, let's put all our data into a digital ID or wallet!
ReplyDeleteWe've known about hacker risk for years. Why aren't the useless idiots running this being sacked?
ReplyDeleteis this the same learning app that is responsible for australian kids IQ dropping over the last couple of years?
ReplyDeletewe still talking about this scam?
its a platform for students to upload assignments to etc, and to interact with other students and teachers.
Deletei think you might be confused