Skip to main content

Instructure Canvas hack update: Breach involved a specific teacher account type and interrupted finals

By
Instructure logo

The hacking collective ShinyHunters says it disrupted a major education platform not once but twice over the past few weeks. And the data breach could not have come at a worse time for students and teachers. These events unfurled during school finals at many of the affected institutions.

On April 30, Instructure, the edtech company behind Canvas, the popular Learning Management System (LMS) utilized by educational institutions around the world, temporarily went offline. A day later, Instructure confirmed that a "criminal threat actor" was behind a data breach into the company's systems.

According to ShinyHunters, the group stole data from 275 million Canvas users at nearly 9,000 schools worldwide. The affected users include students, teachers, and staff, and while no passwords or other sensitive data were taken, the data stolen was significant. The hackers claimed usernames, email addresses, student IDs, and private messages exchanged on the platform were part of the stolen data. Some of the impacted users are underage students.

Mashable 101 Fan Fave: Vote for your favorite creator today!

Shortly after the hack, Instructure confirmed that it had revoked access from the bad actors, took measures to fix the issues and prevent another breach from occurring, and brought Canvas back online.

However, just one week later, ShinyHunters says it hit Canvas again. This time, the hackers compromised school-specific login pages for the platform and defaced the pages with messages threatening to publicly release the stolen data from the previous breach unless Instructure agreed to "negotiate a settlement."

A monetary demand from ShinyHunters was not surprising. The ransomware group is known for extorting victims following a data breach. A second breach at Instructure, however, was a surprise. Canvas once again went offline, and when it came back, the company had removed the source of the second incident: Free-For-Teacher accounts.

According to a newly updated incident page on Instructure's website, the company says it "identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited." 

"We temporarily disabled Free for Teacher while we complete a full security review," the company said. "We know that's disruptive, and we didn't make that call lightly. But keeping the entire Canvas platform secure has to come first."

While the second breach did not result in any stolen data, the timing of the security incident could not have been worse for students, as many schools are currently holding finals and other scheduled deadlines for end-of-year coursework.

As PCMag reports, "students and professors struggled to access the online platform used to submit assignments and tests." (Disclosure: PCMag and Mashable are both owned by the same parent company, Ziff Davis.)

According to data provided to Mashable from Alliance Risk Trends, Google searches for "canvas hacked" and "canvas down" spiked roughly 1,000 percent just this past Friday. There was a combined search volume of more than 1 million for searches involving the Canvas security incidents and subsequent downtime.

Some readers reached out to Mashable to share their experience. One parent of a student at Seton Hall University forwarded Mashable an email that the school sent out while Canvas was down.

"We know the timing of this is hard," the school's email to students read. "Finals are underway, coursework is due, and Canvas being offline right now is genuinely disruptive."

Some schools, such as Bayton University in Texas, postponed final exams on Friday specifically due to issues accessing Canvas.

"With Canvas down at the national level, Baylor University will delay final exams tomorrow (Friday, May 8, 2026)," the school said in a statement.

Canvas is now back online. However, ShinyHunters' "settlement" deadline to release the data on May 12 still looms.

Want to learn more about getting the best out of your tech? Sign up for Mashable's Top Stories and Deals newsletters today.



from Mashable https://ift.tt/NpXTuW9
via IFTTT
Labels:

Comments

Post a Comment

Popular posts from this blog

The Nintendo Switch has been the US’s bestselling console for 23 straight months

By
Photo by James Bareham / The Verge It’s been a good two years for the Nintendo Switch. According to Nintendo, the gaming tablet has been the bestselling console in the US for 23 straight months. And according to data from the NPD Group, it just had its best October ever, moving 735,926 units of both the Switch and Switch Lite in the US. The company says that represents a 136 percent increase compared to last year. To date, the Switch has sold 22.5 million units in the US, and last week Nintendo revealed that more than 68 million units have been sold globally . “We’re excited about our momentum,” says Nick Chavez, Nintendo of America’s SVP of sales and marketing. Chavez puts the company’s big October down to two main factors. One is a better supply of stock; this year in particular, it’s often been hard to find a Switch on store shelves. This has only been exacerbated by increased demand due to a combination of the pandemic and the breakout success of Animal Crossing: New Horizons . ...
Post a Comment
Read more

Instagram accidentally reinstated Pornhub’s banned account

By
After years of on-and-off temporary suspensions, Instagram permanently banned Pornhub’s account in September. Then, for a short period of time this weekend, the account was reinstated. By Tuesday, it was permanently banned again. “This was done in error,” an Instagram spokesperson told TechCrunch. “As we’ve said previously, we permanently disabled this Instagram account for repeatedly violating our policies.” Instagram’s content guidelines prohibit  nudity and sexual solicitation . A Pornhub spokesperson told TechCrunch, though, that they believe the adult streaming platform’s account did not violate any guidelines. Instagram has not commented on the exact reasoning for the ban, or which policies the account violated. It’s worrying from a moderation perspective if a permanently banned Instagram account can accidentally get switched back on. Pornhub told TechCrunch that its account even received a notice from Instagram, stating that its ban had been a mistake (that message itse...
Post a Comment
Read more

MVP versus EVP: Is it time to introduce ethics into the agile startup model?

By
Anand Rao Contributor Share on Twitter Anand Rao is global head of AI at PwC . The rocket ship trajectory of a startup is well known: Get an idea, build a team and slap together a minimum viable product (MVP) that you can get in front of users. However, today’s startups need to reconsider the MVP model as artificial intelligence (AI) and machine learning (ML) become ubiquitous in tech products and the market grows increasingly conscious of the ethical implications of AI augmenting or replacing humans in the decision-making process. An MVP allows you to collect critical feedback from your target market that then informs the minimum development required to launch a product — creating a powerful feedback loop that drives today’s customer-led business. This lean, agile model has been extremely successful over the past two decades — launching thousands of successful startups, some of which have grown into billion-dollar companies. However, building high-performing product...
Post a Comment
Read more