ShinyHunters Defaces Canvas Logins, Demands Contact by May 12
ShinyHunters altered Canvas web and app login screens for hundreds of schools, posting a ransom message that claimed a prior data theft and set a May 12 deadline.
ShinyHunters altered Canvas web login portals and the Canvas app for hundreds of schools, posting an on-screen ransom message that claimed responsibility for a prior breach and gave a May 12 deadline for contact or public release of data.
Instructure, the company that operates Canvas, confirmed earlier this week that a major breach affected its cloud-hosted environment. The attackers said they had stolen hundreds of millions of records tied to thousands of schools and universities.
Security reporting on the earlier incident indicates the stolen data included student and staff records, enrollment details and private messages allegedly accessed through Canvas export features and application programming interfaces. The more recent activity used a separate vulnerability to change the appearance and behavior of institutional login pages.
The ransom notice appeared on both institution web logins and inside the Canvas app, making it visible to students, parents and staff attempting to access courses.
Security investigators say the changes to login pages show attackers retain access to at least some components that control single sign-on and portal customization within Instructure’s environment. The presence of the messages on multiple access points raised questions about the integrity of authentication processes.
Data taken in the earlier incident could increase the risk of identity fraud and enable highly targeted phishing that references real courses, teachers or enrollment details. Those risks persist while records remain outside the control of schools and families.
Cybersecurity advisers and Instructure urged users to reset passwords used for Canvas, enable multi-factor authentication where available and monitor financial and credit activity. Schools and districts were advised to coordinate with Instructure, review single sign-on integrations and prepare clear communications for students, staff and parents.
Instructure has been notified of the defacements. Affected organizations were working to remove the on-screen messages and to investigate the access vectors used by the attackers.
