The ShinyHunters cybercrime gang has breached Instructure's Canvas learning platform twice in quick succession, affecting nearly 9,000 educational institutions and 275 million users during final exam week. Despite Instructure claiming the initial April 25 attack was contained by May 2, hackers struck again on May 7, forcing the company to take Canvas offline once more.
The attackers exploited vulnerabilities in "free-for-teacher" accounts and claim to have stolen 3.65TB of data, including names, emails, student IDs, and billions of private messages between students and teachers. The breach spans universities, K-12 schools, and major corporations like Amazon and Apple across multiple countries.
Students report being locked out during critical study periods, with ransom messages appearing instead of their grades. The incident raises serious concerns about data protection for minors and the security standards expected from platforms serving such massive educational networks.
Source: Dark Reading