Recently, the U.S. House Committee on Homeland Security has taken a keen interest in the cyberattacks faced by Instructure, specifically targeting its Canvas platform. These attacks, orchestrated by the ShinyHunters extortion group, resulted in the theft of student data and significant disruptions to schools during crucial final exams.
In a formal letter addressed to Instructure CEO Steve Daly, Committee Chairman Andrew R. Garbarino expressed the committee’s concern over the massive breach that has impacted millions of students reliant on Instructure’s Canvas learning management platform.
The letter stated, “The Committee on Homeland Security (Committee) is investigating the concerning reports related to recent cybersecurity incidents affecting Instructure Holdings, Inc. and the tens of millions of students, educators, and administrators who rely on its Canvas learning management platform.”
According to initial reports by BleepingComputer, Instructure disclosed the breach on May 3, with the intrusion being detected on April 29. Threat actors managed to breach Instructure’s systems, accessing student data and disrupting the normal operations of schools using Canvas.
The compromised information included names, email addresses, student identification numbers, and communication between students and teachers on the platform. Fortunately, sensitive data like passwords, financial details, and government identifiers were not part of the breach.
On May 3, the ShinyHunters group claimed responsibility for the attack, boasting about stealing 280 million data records from various educational institutions, including colleges, school districts, and online education platforms.
The ShinyHunters group proceeded with a second attack, defacing Canvas login portals across educational institutions in the U.S. This disruptive act forced colleges to cancel exams and affected end-of-semester activities, creating chaos during a critical period.
Further investigations revealed that the threat actors exploited cross-site scripting (XSS) vulnerabilities to gain access to admin sessions and modify login portal pages.
Schools across multiple states, including California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, and Wisconsin, reported disruptions due to the incident.
The attackers claimed they targeted Instructure again because the company refused to engage in negotiations with them.
In a surprising turn of events, Instructure managed to reach an agreement with ShinyHunters to prevent further public leaks and ensure the deletion of stolen data.
While the specifics of the agreement were not disclosed, it is common for ransom payments to be involved in such agreements with extortion groups.
The Homeland Security Committee has raised concerns about Instructure’s incident response capabilities and its obligations to safeguard the data it holds. They have requested Instructure’s participation in a briefing by May 21 to address the breaches, data containment, notifications, and coordination with federal agencies.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), witness how autonomous, context-rich validation identifies vulnerabilities, confirms control effectiveness, and completes the remediation process.
Claim Your Spot
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
