Canvas Learning Platform Hit by ShinyHunters Hack and Extortion Attempt

Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message. [...]

Some schools and universities whose students’ data was stolen by a cybercriminal hacking group as part of an April breach of the educational tool Canvas have reached out to the hackers to prevent their data from being released, a source familiar with the matter said on Friday. ShinyHunters, a hacking group with a string of data theft and extortion campaigns targeting major global companies, said in a May 3 post on its website that it had stolen roughly 6.65 terabytes of Canvas data related to nearly 9,000 schools worldwide that included student names, email addresses and private messages between students, teachers, and other staff. Student newspapers across the country reported this week that the hack was causing widespread disruption as students prepare for end-of-year tasks and assignments. The software is used by schools for class assignments and information sharing, as well as messages between students and school faculty. The FBI said on Friday it was aware of a breach disrupting the U.S. education system, without naming Canvas. On May 5, the group posted a message saying that Canvas’ parent company, Instructure, had “not even bothered speaking to us” to prevent a data leak, and that their demand “was not even as high as you might think it is”. The message included a list of roughly 1,400 individual schools and districts, and invited the schools to contact them to negotiate and prevent data from being posted. Instructure announced in a May 1 post on its support website that it was investigating a cybersecurity incident. A post the next day, signed by Chief Information Security Officer Steve Proud, said the “information involved” included Canvas user names, email addresses, student ID numbers and messages among users. In a May 6 update, the company said the situation was resolved and that Canvas was fully operational. On May 7, students at multiple schools reported attempting to log into Canvas and finding a note from ShinyHunters with a link to the list of affected schools. Instructure pulled Canvas, Canvas Beta and Canvas Test offline a short time later, but restored access to Canvas four hours later. An Instructure spokesperson said in an email Friday that the hackers “made changes to pages that appeared when some students and teachers were logged in”. The hackers exploited an issue related to the company’s Free-for-Teacher service, the spokesperson said, which allows non-Canvas users to try certain parts of the platform. The company has temporarily shut down the Free-for-Teacher service, which “gives us confidence to restore access to Canvas, which is now fully back online and available for use”, the spokesperson said. Canvas Beta and Canvas Test remain in “maintenance mode”, according to Instructure’s support site. ShinyHunters pulled both messages off its website as of May 7, replacing them with a message saying they were “not commenting and have no further comment to make regarding this global incident”. A group representative declined to answer questions from Reuters sent via online chat. Extortion and ransomware groups pull claims about victims off their websites for any number of reasons, including sometimes that a target has paid or is in negotiations. A note sent to parents from the South Orange-Maplewood School District on Friday said the security breach occurred on April 25 and that Instructure detected unauthorised activity on April 29. Montgomery County Public Schools in Maryland told students, staff and families in an email on Friday that Canvas was returning to service, but that the district was continuing to restrict access out of an abundance of caution “until all services have been reviewed and confirmed safe for use”. Canvas has 30 million active users between kindergarten and college age, according to Instructure’s website.

Wired describes the recent Canvas breach as an unusually disruptive ransomware-style extortion incident because one attack on Instructure's learning platform temporarily paralyzed thousands of schools during finals and end-of-year assignments. The hackers using the "ShinyHunters" name claim more than 8,800 schools were affected, while Instructure says exposed data included names, email addresses, student ID numbers, and platform messages. From the report: Higher education has long been a target of ransomware gangs and data extortion attacks. But never before, perhaps, has a cyberattack against a single software platform so thoroughly disrupted the daily operations of thousands of schools across the United States. The widely used digital learning platform Canvas was put into "maintenance mode" on Thursday after its maker, the education tech giant Instructure, suffered a data breach and faced an extortion attempt by attackers using the recognizable moniker "ShinyHunters." Though the hackers have been advertising the breach and attempting to extract a ransom payment from Instructure since May 1, the situation took on additional immediacy for regular people across the US and beyond on Thursday because the Canvas downtime caused chaos at schools, including those in the midst of finals and end-of-year assignments. Universities like Harvard, Columbia, Rutgers, and Georgetown sent alerts to students about the situation in recent days; other institutions, including school districts in at least a dozen states, also appear to have been affected. In a list published by the hackers behind the attack on their ransom-focused dark web site, they claim the breach affected more than 8,800 schools. The exact scale and reach of the breach is currently unclear, though. And the fact that Canvas was down throughout Thursday afternoon and evening further complicated the picture. In a running incident update log that began on May 1, Steve Proud, Instructure's chief information security officer, said that the company had "recently experienced a cybersecurity incident perpetrated by a criminal threat actor." He added on May 2 that "the information involved" for "users at affected institutions" included names, email addresses, student ID numbers, and messages exchanged by users on the platform. The situation was ultimately marked as "Resolved" on Wednesday, with Proud writing that "Canvas is fully operational, and we are not seeing any ongoing unauthorized activity." At midday on Thursday, though, the Instructure status page registered an "issue" where "some users are having difficulties logging into Student ePortfolios." Within a few hours, the company had added another status update: "Instructure has placed Canvas, Canvas Beta and Canvas Test in maintenance mode." Late Thursday evening, the company said that Canvas was available again "for most users." TechCrunch reported on Thursday that the hackers launched a secondary wave of attacks, defacing some schools' Canvas portals by injecting an HTML file to display their own message on the schools' Canvas login pages. According to The Harvard Crimson, attackers modified the Harvard Canvas login page to show a message that included a list of schools that the hackers claim were impacted by the breach. The message from attackers "urged schools included on the affected list to consult with a cyber advisory firm and contact the group privately to negotiate a settlement before the end of the day on May 12 -- or else risk their data being leaked," The Crimson reported. "It is unclear what information tied to Harvard affiliates was included in the alleged breach." Read more of this story at Slashdot.

Canvas redirects users to a message from ShinyHunters in which the group claims responsibility and posts a list of schools that had been breached