A cyberattack against Canvas, one of the most widespread educational platforms in the United States, has compromised the personal data of more than 275 million students and teachers from almost 9,000 centers. The intrusion also left the service out of operation for several hours in the middle of exam and final submission season.
The breach combines two impacts at once. On the one hand, it affects a basic tool for the daily activity of universities and educational centers. On the other hand, the attackers threatened to publish the information obtained on the dark web if they did not receive a payment before May 12.
The attack affected 275 million users from almost 9,000 centers
Among the compromised data are names, email addresses, identification numbers, and messages exchanged within Canvas. Instructure, the platform provider company, indicated that there is no evidence of password leaks or financial data.
The company defined what happened as a cybersecurity incident perpetrated by a threatening criminal actor. Authorship of the leak is attributed to the ShinyHunters group.
For several hours, the attack interrupted the functioning of Canvas at a time of maximum academic activity. Several universities suspended digital services and limited access to the platform while they reviewed the scope of the intrusion.
Attackers altered login screens and set May 12
Some centers activated preventive measures immediately. Among them, they forced logouts and recommended urgent password changes to their users.
TechCrunch explained that, after analyzing the manipulated portals, the attackers injected an HTML file that modified the login screens to display their message. That detail points to a direct manipulation of the accesses visible to students and teachers.
As of today, the exact method used to access those pages has not been disclosed. The available information points, however, to a second security breach in the platform's environment.
The threat from those responsible for the leak sets a specific date for the extortion, as they warned that they would publish the stolen information on the dark web if they were not paid before May 12.