Instructure confirms data breach; ShinyHunters claims attack
▼ Summary
– Instructure, the company behind Canvas, confirmed a cyberattack exposed user data including names, email addresses, and student ID numbers, but not passwords or financial information.
– The ShinyHunters extortion gang claimed responsibility, stating they stole data from nearly 9,000 schools affecting 275 million individuals and billions of private messages.
– Instructure deployed patches, increased monitoring, and rotated application keys in response, requiring customers to re-authorize API access.
– ShinyHunters alleged the data was stolen via a patched system vulnerability and includes records from about 15,000 institutions across North America, Europe, and Asia-Pacific.
– BleepingComputer could not independently verify the extent of the breach and is seeking more details from Instructure.
The education technology sector has been rocked by a significant security incident, as Instructure, the company behind the widely adopted Canvas learning management system, confirms a data breach. The ShinyHunters extortion group has publicly claimed responsibility for the attack, raising serious concerns for millions of users worldwide.
Instructure, a U. S.-based firm that provides digital infrastructure for schools and universities to manage courses and online learning, first acknowledged a cybersecurity incident on Friday. By Saturday, the company updated its statement, revealing that personal information of users was compromised. According to the official release, the exposed data includes “certain identifying information” such as names, email addresses, and student ID numbers, as well as messages exchanged between users. However, Instructure has stated that, so far, there is no evidence that passwords, dates of birth, government identifiers, or financial information were taken. The company promises to notify any impacted institutions if that assessment changes.
In response, Instructure has deployed security patches, ramped up monitoring, and rotated application keys as a precaution. Customers must now re-authorize access to Instructure’s API for new application keys to be issued.
While Instructure has not answered BleepingComputer’s inquiries regarding the timeline of the breach or whether it is being extorted, the ShinyHunters extortion gang has already listed the company on its data leak site. The group claims the breach affects “nearly 9,000 schools worldwide” and involves 275 million individuals, including students, teachers, and staff. The threat actor alleges that billions of private messages between students and teachers, along with personal conversations and other personally identifiable information (PII), have been stolen. They also claim that Instructure’s Salesforce instance was breached, exposing additional data.
According to ShinyHunters, the data was stolen through a vulnerability in Instructure’s systems, which has since been patched. The alleged dataset reportedly contains over 240 million records, including names, email addresses, enrolled courses, and private messages. The threat actor suggests the data spans nearly 15,000 institutions across North America, Europe, and the Asia-Pacific region.
BleepingComputer has not independently verified the scope of the breach or the number of impacted individuals, and has reached out to Instructure for further clarification on the threat actor’s claims.
(Source: BleepingComputer)
