Instructure, a leading education technology company, recently confirmed a security vulnerability that allowed hackers to tamper with Canvas login portals, leaving behind an extortion message.
Reports indicate that the breach and defacements were a result of multiple cross-site scripting (XSS) vulnerabilities, granting the attacker access to authenticated admin sessions.
The motive behind the second hack was to pressure Instructure into negotiating a ransom following an initial breach that was disclosed a week prior.
Known for developing Canvas, a widely-used learning management system (LMS) in educational institutions worldwide, Instructure took immediate action upon discovering the breach on April 29.
After revoking unauthorized access, initiating an investigation, and enlisting forensic experts, the company confirmed a data breach a few days later.
ShinyHunters, a known threat actor, claimed responsibility for the breach and published the stolen data on their platform, revealing more than 3.6 terabytes of uncompressed information.
To coerce Instructure into paying a ransom, the threat actor exploited XSS vulnerabilities by injecting malicious JavaScript into user-generated content features, gaining access to authenticated admin sessions for privileged actions.
Instructure later confirmed that the security issue primarily affected the Free-for-Teacher environment, a limited version of the Canvas LMS for individual educators.
“The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas” – Instructure
As a precautionary measure, Instructure temporarily took Canvas offline to prevent further malicious activities, identify the root cause, and implement additional security measures.
ShinyHunters leveraged the vulnerability to insert a message on Canvas login portals, setting a deadline of May 12 for Instructure and affiliated schools to initiate ransom negotiations.
In response, Instructure suspended Free-For-Teacher accounts until the issues were resolved. However, Canvas services were restored and made available for use starting from May 9th.
While the defacement of Canvas login portals did not compromise any data, the initial breach led to the exfiltration of usernames, email addresses, course details, enrollment information, and messages by ShinyHunters.
According to ShinyHunters, the breach impacted 8,809 educational organizations, with a claimed theft of 275 million records belonging to students, teachers, and other staff members.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Claim Your Spot
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
