Instructure Reaches Deal With ShinyHunters to Return and Destroy Stolen Canvas Data

Instructure, the parent company of Canvas, said it reached an agreement with the hackers behind the Canvas breach and that the data was returned and destroyed, after the cyberattack created chaos for students during finals.

The company said it received "digital confirmation" that the hackers destroyed any remaining copies in the form of "shred logs," while also acknowledging there was "no way to be sure that the data was erased for good."

6abc Philadelphia

ABC13 Houston reported that a hacking group named ShinyHunters claimed responsibility for the breach and threatened to leak data involving nearly 9,000 schools worldwide and 275 million individuals if schools did not pay a ransom by May 6.

Instructure temporarily took Canvas offline while it investigated, locking out students and faculty, and then brought the system back as the company worked with "expert vendors" to do forensic analysis and harden its systems.

The New York Times said Instructure did not disclose what it gave the hackers in exchange for the return of stolen data and confirmation of destruction, even as it said the agreement covered all impacted customers.

ShinyHunters’ extortion pressure was tied to deadlines, with the group threatening to leak data on May 12 if it did not receive a response from Instructure, and Instructure saying it had been informed that none of its customers would face extortion as a result of the theft.

The BBC reported that the hackers threatened to publish 3.5 terabytes of student and university data they had stolen, and that Instructure confirmed it had "reached an agreement" with the hackers who said they deleted the data.

ABC13 Houston

The New York Times described how Canvas was shut down for hours after the cyberattack on Thursday, and said ShinyHunters claimed access to the data of more than 275 million users at nearly 9,000 schools worldwide.

Instructure said it first detected unauthorized activity in Canvas on Apr. 29 and again on May 7, and it took Canvas offline to investigate while also informing the F.B.I., the U.S. Cybersecurity and Infrastructure Security Agency and other international law enforcement partners.

WRAL reported that Wake County Public School System restored access to Canvas on Monday and that the North Carolina Department of Public Instruction returned Canvas-related services to normal operations around 4 p.m. Monday.

Instructure CEO Steve Daly apologized in a letter to the Instructure community, saying the incident involved unauthorized access to part of its environment and that the data fields involved include usernames, email addresses, course names, enrollment information and messages.

“The company that operates online learning system Canvas said it struck a deal with hackers to delete the data they pilfered in a cyberattack that created chaos for students, many of them in the middle of finals”

ABC13 Houston

Daly said core learning data (course content, submissions, credentials) was not compromised, and he also said Instructure identified a vulnerability regarding support tickets in its Free for Teacher environment that was exploited, prompting the company to temporarily disable Free for Teacher.

The Hacker News warned that "The exfiltrated data provides threat actors enough personal context to conduct targeted phishing campaigns" and said leaked records can be used to impersonate school administrators, IT support, or financial aid offices in follow-on attacks.

WRAL said Wake County restored access after a briefing with state Department of Public Instruction officials reassured the district that there was no remaining risk, while a Durham Public Schools spokesperson said the district had not restored access to Canvas yet.

Instructure said it was working with expert vendors to do a forensic analysis, further harden its systems, and carry out a comprehensive review of the data involved, even as it said there was no complete certainty when dealing with cyber criminals.