Canvas Data Breach A Deal Was Made With Hackers

Summary of the Incident

Canvas, a leading learning management system (LMS) used by millions of students and educators worldwide, is at the center of a major cybersecurity incident. According to a statement from its parent company, Instructure, unidentified hackers infiltrated the platform's systems and exfiltrated a significant amount of user data. Complicating the matter further, Instructure announced it had reached an agreement with the attackers to prevent the stolen data from being published or sold online. The company stated that, in exchange for the deal, it received assurance from the hackers that the data had been permanently deleted. This decision has ignited an intense debate within the cybersecurity community and among users regarding its ethical and practical implications.

Scope and Nature of the Leaked Data

While Instructure has refrained from providing precise figures on the exact scope of the breach and the number of affected users, the nature of the potentially exposed data is alarming. As an educational platform, Canvas stores highly sensitive information about its users. The types of data potentially compromised include:

• Personally Identifiable Information (PII): Basic identity details of students and educators, such as full names, email addresses, student ID numbers, and dates of birth.
• Academic Records: Grades, course enrollments, assignment submissions, exam results, and communications within course discussion forums.
• Contact Information: Phone numbers and physical addresses that may have been added to the system by the educational institution.
• Login Credentials: Usernames and, most likely, hashed passwords. Although hashing provides a layer of security, weak passwords can still be cracked using brute-force attacks.

The combination of this data creates a valuable resource for identity theft, targeted spear-phishing attacks, and other forms of fraud. The exposure of academic records, in particular, poses a serious threat to student privacy.

The Technical Aspect of the Attack

The company has not yet shared technical details about how the attackers breached its systems. Such information is often kept confidential during ongoing forensic investigations. However, common attack vectors seen in breaches of similar large-scale platforms include:

• Exploitation of a Vulnerability: The use of a previously unknown (zero-day) or known but unpatched vulnerability in the platform's software or server infrastructure.
• Phishing: A sophisticated phishing attack targeting a company employee with privileged access. The theft of this employee's credentials could have provided the attackers with their initial foothold in the network.
• Misconfigured Cloud Storage: Improperly configured access permissions for cloud storage services like Amazon S3, which house customer data, could have left the data publicly exposed or easily accessible to attackers.
• Third-Party Integration Risk: A compromise of a third-party service provider integrated with Canvas could have been used as a pivot point for attackers to infiltrate the Canvas network.

Although Instructure stated it is working with cybersecurity firms and law enforcement, its decision to negotiate with the hackers could be interpreted as a sign that they were struggling to contain the situation.

Who Are the Affected Users?

Canvas serves a wide range of educational institutions globally, from K-12 schools to some of the world's most prestigious universities. Consequently, the potential audience affected by this breach is vast:

• Students: The personal and academic data of millions of students of all ages are at risk.
• Educators: The contact information and course materials uploaded by teachers, professors, and instructors may have been exposed.
• School Administrators: The information of personnel with administrative access to the system and institutional data could have been compromised.

The breach directly impacts not only individual users but also the reputation and security of the educational institutions that rely on the platform.

What Should You Do?

If you are a Canvas user, it is strongly recommended that you take proactive measures, despite the company's assurance that the data has been deleted:

1. Change Your Password Immediately: Change your Canvas account password to a strong, unique one right away. If you use this password on other platforms, be sure to change those as well.
2. Enable Two-Factor Authentication (2FA): If 2FA is available for your Canvas account or the associated school system, enable it immediately. This greatly prevents unauthorized access to your account, even if your password is stolen.
3. Be Wary of Phishing Attacks: Attackers can use your stolen email address and personal information to send you convincing, personalized phishing emails. Avoid clicking on links or downloading attachments from suspicious emails that appear to be from Canvas or your school.
4. Monitor Your Accounts: Keep an eye on your other online accounts for any suspicious activity.

The Company's Statement

In its official statement, Instructure emphasized that it began working with a team of cybersecurity experts immediately after detecting the incident and that security vulnerabilities in its systems have been remediated. The company defended its decision to negotiate with the hackers, stating, "our priority is to protect our users' data," and that the agreement was a necessary step to prevent the data from being widely disseminated. However, this approach has been sharply criticized by security experts for funding cybercrime and encouraging future attacks. The fact that it is nearly impossible to verify whether the hackers actually deleted the data casts serious doubt on the effectiveness of such a deal.

Kaynak

https://www.securityweek.com/deal-reached-with-hackers-to-delete-data-stolen-from-the-canvas-educational-platform/