Mastodawn

Matt Simpson May 8

New, from me: Canvas Breach Disrupts Schools and Colleges Nationwide

"An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions."

"Canvas parent firm Instructure responded to today's defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students."

Lots more here:

https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/

#canvas #breach #shinyhunters #instructure

BrianKrebs May 12

Instructure says it paid a ransom. SMH

"STATUS UPDATE 5/11/26

We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority."

"With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:"

"The data was returned to us.
We received digital confirmation of data destruction (shred logs).
We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise."

'This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.
While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible. We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses."

https://www.instructure.com/incident_update

Security Incident Update & FAQs

Instructure

Mike Sheward May 12

@briankrebs “the criminals have informed us they will do no other crimes, and who are we to believe otherwise”

Dan Schnau May 12

@SecureOwl @briankrebs what a joke

Mike Sheward May 12

@danschnau @briankrebs maybe its just the final lesson of the semester, no matter how hard you work, someone will come a long at the last second, steal it, and get paid more than you can ever imagine

setting them students up for the AI economy

Dan Schnau May 12

@SecureOwl @briankrebs it definitely doesn’t do much to combat the belief that “crime doesn’t pay” when literally it does

Joe ❌👑May 12

@briankrebs Wow, if there's a "shred log", we are really sure that they deleted all the data and don't retain any copies to blackmail us again with.

@not2b @briankrebs Logs can't be doctored, it's literally impossible.

(big, fat, /s)

John Breen May 12

@briankrebs Wait, "shred logs" are a thing ?

...They promised they destroyed the negatives...

Also, "there is no need for individual customers to attempt to engage with the unauthorized actor" sounds a little like "pay no attention to the man behind the curtain".

They don't have your data, so go ahead and engage them, right ?

Cliff'sEsportCorner May 12

@briankrebs "received digital confirmation of data destruction" umm https://www.youtube.com/watch?v=dTRKCXC0JFg

Princess Bride, "You keep using that word. I do not think it means what you think it means."

YouTube

@briankrebs it's real weird to pay the ransom for positive PR

Isaac Lyman May 12

@briankrebs I like to think “shred logs” is an interjection by their hype man. It’s not a PR statement, it’s rap lyrics

tehfishman May 12

@briankrebs these people are so credulous that they would lose a game of peek-a-boo

adison verlice May 12

@briankrebs asn't that the company that hosted canvus?

@briankrebs damn they really just made every other company in education a target

@briankrebs what does this even mean:

"The data was returned to us. We received digital confirmation of data destruction (shred logs).”

…other than *absolutely nothing*?

Alun Jones May 12

@europlus @briankrebs what it realistically means is "we have to do this when paying the ransom, otherwise, when Shiny Hunters inevitably later release the data, we will be sued for not having done this".
Paying the ransom makes zero sense, unless the data is destroyed in some existential sense to Instructure.

BrianKrebs May 12

@europlus Oh crap. That reminds me: I have to go shred some logs.

@briankrebs that almost sounds NSFW…

John Kristoff May 8

@briankrebs Reports in the last hour that logins were working again.

BrianKrebs May 8

@jtk I am shocked. From the story

A source close to the investigation who was not authorized to speak to the press told KrebsOnSecurity that a number of universities have already approached the cybercrime group about paying. The same source also pointed out that the ShinyHunters data leak blog no longer lists Instructure among its current extortion victims, and that the samples of data stolen from Canvas customers were removed as well. Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.

deepfryed May 8

@briankrebs @jtk Not surprised but also not ideal. Everyone's trying to put out the fire within their own area of control. Are are any further details on how they managed to do it ? The fact that they were hacked last year and again this time doesn't bode well.

May Likes Toronto May 8

@briankrebs @jtk Public institutions have since ridiculously strict rules about paying cybersecurity ransoms, no?

@mayintoronto @briankrebs @jtk no. or so I have heard rumoured.

s/nationwide/worldwide/

https://www.rnz.co.nz/news/education/594635/new-zealand-students-details-caught-up-in-massive-global-university-hack

New Zealand students' details caught up in massive global university hack

Names, email addresses, ID numbers and messages between users could all have been stolen, while students can't submit work.

RNZ

It'll be interesting to see if this ends up being a factor in the breaches:

"Instructure, the creators of Canvas Learning Management System, and OpenAI, the artificial intelligence research organization and developer of ChatGPT, have joined forces to present a compelling solution. Their innovative partnership shows how AI can become a normal, helpful part of everyday educational experiences, greatly improving teaching and learning processes."

https://www.forbes.com/sites/rayravaglia/2025/07/23/instructure-and-openai-harness-the-power-of-ai-to-transform-learning/

Instructure And OpenAI Harness The Power Of AI To Transform Learning

Instructure and OpenAI partner to embed powerful AI tools within Canvas LMS, transforming learning by enabling dynamic assignments, rich feedback, and deeper insights.

Forbes

Hackers are dedicated and clever people. They get what they're after.

But it always drives me spare that these people hack schools and pharmacies and the local council, but never Truth Social or Reform UK or pedophiles r us. 😮‍💨

@Arapalla @briankrebs I feel like the reason could be in your statement already.

Tara L. Campbell May 8

@Arapalla @briankrebs Right? The education technology space is an underfunded, under-resourced target.

Whatever happened to the whitehat groups, the digital Robin Hoods of our era, taking (back) from the rich and giving to the poor?

We're just left with these twats who can only punch down because they aren't good enough to go after the corrupt institutions that can afford to protect their assets.

@tarabara @Arapalla @briankrebs Really? The education IT space is underfunded. Wow. First I've heard of this. My wife has worked at 2 major universities in high level positions and she will tell you herself that their IT Departments are, if anything, over-funded, but with poor management.

Tara L. Campbell May 8

@jhooper @Arapalla @briankrebs technology options available to the education space are few. W/o potential for billions to be made, investors aren't interested.

I work in public higher ed* IT and while there was a time when we developed in-house solutions, that's no longer the case. Vendor solutions, SaaS, all the way now. LMS platforms are not lucrative enough for strong competition.

*Federal and state funding cuts have left us miserably understaffed, though exec leadership is comfortable.

@briankrebs though on some universities, Canvas is used for exchanging messages on sensitive topics, many other schools only use it as a LMS. Books, deadlines, exercises, all not really sensitive. Luckily, my university is in the second group. For interpersonal comms, we use Gmail.

@briankrebs interestingly, Shinyhunters removed the listing from their site¹. I attached a screenshot I found displaying the listing while it was still live (better than this screenpic lol).

With the recent Chipsoft hack by the same group, the removal of the listing by the site indicated negotiations by the hacked and the hacker were ongoing. Chipsoft likely ended up paying, since they report the data was deleted.

[1] for the curious, at your own peril: http://shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion/

@briankrebs my kids says "oh no, the Chinese are going to find out my math grade"

Hugs4friends ♾🇺🇦 🇵🇸😷May 8

@briankrebs Affected Australia, too. Sydney University, and QLearn in Brisbane.
I do hope the institutions had hard copies.

@briankrebs From what I've heard, the hackers keep pushing back the deadline for payment, and chances are they know they don't really have data of value. Most of it is essentially private messages on that platform, DOBs and educational email addresses and not much else. The real embarrassment is that those hackers still seem to have access to the system and Canvas isn't capable of admitting or even coming close to solving the issue.

Yet another Josh

Yep! All for Finals week and Graduation week very soon.

Its basically their best possible timing as a ransom operation.

trumpresistance May 11

@briankrebs
Will you care to comment on Dirty Frag?

Every wretched poxing suppurating time.

https://en.wikipedia.org/wiki/Danegeld

Danegeld - Wikipedia

@briankrebs Not only US. Also university, I know at least one, in Austria was affected.

System Adminihater May 16

@briankrebs Does anyone know a company or individual that can provide "closure" or more information on older cyberattacks? I would love to know who hacked something in 2018.