Canvas Data Breach Instructure Confirms Deal With Attackers – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

Canvas Owner Instructure Reaches Deal After Ransomware Attack

EdTech giant Instructure has confirmed it reached an agreement with the cybercrime group ShinyHunters following a ransomware attack on its popular learning management system, Canvas. The deal aims to prevent the public release of data belonging to millions of students and educators.

Canvas Owner Instructure Reaches Deal After Ransomware Attack

Event Summary

On May 14, 2026, the educational technology world was shaken by a startling announcement from Instructure. The company, owner of the popular Learning Management System (LMS) Canvas used by millions of students, teachers, and educational institutions, officially disclosed that it had suffered a ransomware attack and subsequently reached an agreement with the cybercriminals. The group behind the attack was identified as ShinyHunters, a notorious entity known for targeting numerous large corporations. The statement emphasized that the purpose of this agreement was to prevent the attackers from publishing or selling the sensitive data they had exfiltrated.

This incident once again highlights the severe danger of a tactic known in the cybersecurity world as "double extortion." Attackers no longer just encrypt systems and demand a ransom; they also steal data and use the threat of its public release to increase pressure on victim companies. Instructure's decision to negotiate an agreement has raised concerns about the vast scope and sensitivity of the stolen data.

Leaked Data and Scope

While Instructure has not disclosed the full details of the compromised data, citing the terms of the agreement, the very nature of a comprehensive platform like Canvas suggests that a wide range of data types were at risk. The data that may have been potentially exfiltrated includes:

Has your email been leaked? Check for free — results in seconds.

Check Now →
  • Personally Identifiable Information (PII): Full names, email addresses, student ID numbers, dates of birth, and in some cases, even physical addresses and phone numbers of students and educators.
  • Academic Records: Highly sensitive information such as grades, course materials, submitted assignments, exam results, and academic progress reports.
  • User Credentials: Usernames and potentially hashed passwords. Even though passwords are not stored in plain text, weak passwords can be cracked through brute-force attacks.
  • Communication Data: Records of communications within the platform, including private messages, announcements, and forum discussions.

The leakage of this data is not merely a privacy violation. It carries a significant risk of being used for identity theft, targeted spear-phishing attacks, and various other forms of fraud. The combination of academic records and personal information poses a particularly serious threat to both students and educators.

The Technical Aspect of the Attack

This event is a classic example of a ransomware attack, albeit a modern variant. Ransomware is a type of malicious software that blocks a victim's access to files on their computer system and demands a ransom payment to restore that access.

The tactic employed by ShinyHunters is known as "double extortion." The steps of this method are generally as follows:

  1. Infiltration: The attackers gain access to the company's network, often through a weak password, a phishing email, or a software vulnerability.
  2. Data Exfiltration: Once inside the network, they copy valuable and sensitive data to their own servers before encrypting the systems. This process can take weeks or even months.
  3. Encryption: After stealing the data, they lock the files on the company's systems with a strong encryption algorithm, rendering them inaccessible.
  4. Ransom Demand: The attackers then demand a ransom for two things: the decryption key to unlock the files, and a promise not to publish the stolen data.

Instructure's statement that they "reached an agreement" most likely implies that a payment was made to fulfill the second demand—to prevent the data from being released. This is a difficult decision for companies, as paying the ransom finances cybercrime, but not paying risks the public exposure of data from millions of users.

Who Are the Affected Users?

Canvas is a platform used globally, from K-12 schools to major universities. Therefore, the potential pool of affected individuals is enormous and includes various groups:

  • Students: The personal and academic information of students of all ages is at risk. This is a significant concern, especially for minors.
  • Educators and Academics: The personal data, course materials, and communications of teachers, professors, and school staff have been compromised.
  • Parents: Information belonging to parents who have access to the platform to monitor their children's academic progress may also be part of the breach.
  • Institutions: The schools, colleges, and universities using Canvas are facing a major crisis concerning their reputation and legal liabilities.

What Should You Do?

If you are a Canvas user, it is crucial to take proactive steps to protect yourself against the possibility that your data has been compromised. Here are the recommendations:

  1. Change Your Password Immediately: Change not only your Canvas password but also the passwords for any other online accounts where you have used the same one. Use unique and strong passwords for every account.
  2. Enable Two-Factor Authentication (2FA): If your institution supports it, enable 2FA on your Canvas account and other critical accounts (email, social media, banking). This significantly prevents unauthorized access even if your password is stolen.
  3. Be Wary of Phishing Attacks: Cybercriminals can use your leaked email address and personal information to send you more convincing and personalized phishing emails. Do not click on links or download attachments from suspicious emails.
  4. Follow Official Communications: Pay close attention to official announcements and instructions from both Instructure and your own educational institution.

The Company's Statement

In its official statement, Instructure mentioned that it is working with cybersecurity experts and law enforcement agencies. The statement read, "The security of our customers' and users' data is our highest priority. After a thorough investigation, we made the difficult decision to reach an agreement with the threat actor to prevent the misuse of data." The company added that it has taken additional measures to enhance the security of its systems and is communicating directly with the affected institutions. Such diplomatic language is often used to avoid explicitly admitting a ransom was paid, but within the cybersecurity community, the term "agreement" is widely interpreted as a payment having been made.

Source

https://www.infosecurity-magazine.com/news/canvas-cybercriminals-agreement/

Share This Article
X LinkedIn WhatsApp
← Previous Post The Gentlemen Ransomware Gang Crumbles After Data Leak

Weekly Newsletter

Curated data breach news delivered to your inbox every week.