Instructure Reaches Deal With Hackers in Canvas Attack
▼ Summary
– Instructure reached an agreement with the ShinyHunters cybercriminal group after a breach affecting nearly 9,000 educational institutions.
– The attackers returned the stolen data and provided digital confirmation of its destruction, with assurances that no customers will be separately extorted.
– The breach exploited a flaw in the Free-For-Teacher version of Canvas, siphoning about 275 million records including usernames and emails.
– Researchers warned that leaked records could enable follow-on phishing attacks impersonating school staff, urging institutions to issue advisories.
– Instructure shut down Free-For-Teacher accounts, revoked credentials, rotated keys, and deployed additional security controls in response.
The Utah-based company behind the widely used Canvas Learning Management System has confirmed it struck a deal with the cybercriminal group responsible for the massive data breach last month. The attack compromised information belonging to nearly 9,000 educational institutions.
In a formal incident update, Instructure stated it “reached an agreement with the unauthorized actor involved in this incident.” The company stopped short of revealing whether a ransom was paid, though the group believed to be behind the attack, ShinyHunters, typically demands payment in Bitcoin through encrypted negotiations.
As part of the arrangement, Instructure said the deal covers all affected customers, meaning individual schools and universities do not need to contact the hackers directly. The stolen data has reportedly been returned, and the company claims to have received digital confirmation of its destruction, along with assurances that no Instructure customer will face separate extortion demands.
While acknowledging the inherent risks of trusting cybercriminals, the firm emphasized it has taken every reasonable step within its control to reassure its clients. However, engaging with ransomware groups directly contradicts standard law enforcement advice, and there is no guarantee that exfiltrated data has truly been erased.
The phishing threat remains long after the settlement. The original breach exploited an undisclosed vulnerability in the Free-For-Teacher version of Canvas, allowing attackers to exfiltrate roughly 275 million records. Stolen information included usernames, email addresses, course names, enrollment data, and messages. Instructure has stressed that course content, student submissions, and login credentials were not accessed.
A second wave of attacks on May 7 saw hackers deface Canvas login portals at approximately 330 institutions with extortion messages, setting a May 12 deadline for negotiations. Researchers at Halcyon, the cybersecurity firm tracking the campaign, warned that leaked records could be weaponized to “impersonate school administrators, IT support or financial aid offices” in targeted follow-on attacks.
Even with the stolen data ostensibly returned, Halcyon urged affected schools to issue phishing advisories and direct communications to staff, students, and parents without delay. In response, Instructure has temporarily disabled Free-For-Teacher accounts, revoked privileged credentials and access tokens for affected systems, rotated internal keys, and deployed additional security controls. The company is also working with forensic vendors and conducting a comprehensive review of all exposed data.
(Source: Infosecurity Magazine)
