On Tuesday, education tech giant Instructure disclosed a data breach where hackers stole students’ private information, including their names, personal email addresses, and messages sent between teachers and students.
Now, it appears hackers were able to compromise Instructure again — this time defacing several schools’ login pages to the company’s platform Canvas, which allows schools to manage coursework and assignments and communicate with students.
TechCrunch saw a message published by the cybercrime group ShinyHunters on the Canvas login pages of three separate schools. A review of the defaced portals shows that the hackers injected an HTML file that altered the login screens to display their message.
The message says the hackers will publish the stolen data on May 12 if the company does not “negotiate a settlement.”
At the time of writing, Instructure’s website appeared to be partially online, at times returning a “too many requests” error. The company’s Canvas portal displayed a notice saying it was “currently undergoing scheduled maintenance.”
Contact Us
Do you have more information about this breach against Instructure? Or other data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
Instructure spokesperson Brian Watkins told TechCrunch that when the company discovered that hackers had changed some customers’ login pages to its platform Canvas, “out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate.”
“We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts,” said Watkins, who also said that the hackers who defaced the login pages are the same ones involved in the previous breach. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use.”
ShinyHunters had previously claimed responsibility for the original hack, publicizing it on its leak site — a website hackers use to publish stolen data and pressure victims into paying ransoms — in an effort to extort Instructure into paying to keep the data from going public. This apparent new hack, along with the fact that hackers chose to notify TechCrunch about the defaced login pages, indicate that the hackers are trying to ramp up pressure on Instructure and its customers, hoping to force them to cave to the hackers’ demands.
It’s unclear how the hackers were able to compromise the login pages. When asked, a member of ShinyHunters told TechCrunch that they couldn’t comment on specifics, but said this is a second, separate breach.
Following the original breach at Instructure, the hackers claimed to have stolen data from almost 9,000 schools around the world, with the stolen files allegedly containing information on 231 million people.
The group has compromised countless victims over the last couple of years, following the same financially motivated playbook: hack, publicize, and extort.
This story was updated to include comments from Instructure’s spokesperson.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
About the Author
