Follow ZDNET: Add us as a preferred source on Google.

ZDNET’s key takeaways

• Canvas was disrupted this week by a cyberattack.
• Many students are unable to access the popular educational portal.
• Instructure says data was stolen; what Canvas users should do next.

Canvas is at the center of an ongoing cyberattack and data extortion attempt by a well-known cybercriminal group that claims to have stolen student records. If you are a Canvas user, you can take defensive measures now.

Also: No one pays ransomware demands anymore – so attackers have a new goal

What is Canvas?

Canvas is a Learning Management System (LMS) from Instructure, a Salt Lake City-based educational technology company founded in 2008.

Designed for remote learning, Canvas has been adopted by thousands of schools for course creation and management, grading, feedback, and coursework submission. Instructure says the LMS now supports tens of millions of users — students and parents — and has recorded 27 million mobile app downloads. Canvas is available in over 100 countries. 

What happened?

While Canvas boasts a 100% uptime notice on its website, Instructure CISO Steve Proud said last week that the LMS had “recently experienced a cybersecurity incident perpetrated by a criminal threat actor.”

The company began investigating. On May 6, Proud said the company believed the incident had been “contained,” but some data may have been exposed — and it didn’t take long for students to begin reporting login issues.

Also: The shadowy SIM farms behind those incessant scam texts – and how to stay safe

On Thursday, May 7, Canvas login interfaces were defaced, with ransom notes reportedly posted by the ShinyHunters group as it moved from data theft to public extortion. Students who tried to log in were unable to access their course materials, likely a deliberate attempt by the cyberattackers to put pressure on Instructure to pay up, with finals just around the corner. 

In response, Canvas displayed a maintenance mode page, an action that had drawn criticism. 

The hackers’ ransom note, which has since circulated online, demands that Instructure contact the group by May 12. 

“ShinyHunters has breached Instructure (again),” the note reads. “Instead of contacting us to resolve it, they ignored us and did some ‘security patches.'”

While access has reportedly been restored for most users, with the deadline approaching, this may not be the end of the story.

What is ShinyHunters?

ShinyHunters is a collective of cybercriminals that extorts companies for payment. Since making headlines in 2020 with a swathe of company breaches, ShinyHunter’s modus operandi is to quietly infiltrate a target business, steal information, and then publicly pressure the victim into paying a “settlement.”

Also: The best free VPNs: Expert tested and reviewed

Often associated with large-scale breaches, ShinyHunters, like many other cybercriminal groups, operates a “leak site.” Leak sites are public-facing websites that list alleged victims and the items stolen, and often include a demand for payment. 

If a victim fails to comply, the information stolen from them may be published. Having the victim’s name removed from the leak site may also be part of negotiations. 

What information was stolen?

ShinyHunters has threatened to leak data on approximately 275 million students from 8,800 academic institutions if its demands are not met. 

Also: I’m a tech professional, and an AI job scam almost fooled me – here’s how I caught on

According to Instructure, exposed data may include:

• Names
• Email addresses
• Student ID numbers
• Messages between users

“At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved,” Instructure said. “If that changes, we will notify any impacted institutions.”

Instructure’s response

It is not known whether Instructure has communicated with ShinyHunters. Instructure said it is currently “not seeing any ongoing unauthorized activity.”

Also: This critical Linux vulnerability is putting millions of systems at risk – how to protect yours

The company has revoked privileged credentials and access tokens associated with affected systems, deployed security patches — although no associated vulnerability disclosures have been made yet — and rotated security keys. Instructure said it has also ramped up monitoring across its platforms. 

“As a precaution, we recommend customers follow security best practices, including enforcing MFA on privileged accounts, reviewing admin access, and rotating API tokens or keys where applicable,” the company added. 

6 steps to take immediately

1. School updates: As this security incident appears to affect thousands of schools and academic institutions, reach out to your institution or visit its website and communication channels for updates. 
2. Passwords: Whenever you suspect you have been involved in a data breach, the first thing you should do is to change the password you use to access your account. If you are using the same password to access other online services, change those passwords as well.  If the ransomware group releases stolen data and manages to grab credentials, those credentials may be made public. You should consider using a password manager to create complex passwords and to receive leak alerts. 
3. Have I Been Pwned: It’s too early for this data breach and any subsequent data leak to be recorded on Have I Been Pwned, but we recommend visiting this website frequently to check whether you have been involved in any online data breaches. It’s free, and all you need to do is search with your email address. 
4. Enable 2FA/MFA: If you have not already done so, enable two-factor or multi-factor authentication on your associated accounts. 
5. Keep an eye on your email: If Canvas follows appropriate procedures, it should inform users if their information has been exposed — keep an eye out for any updates. 
6. Watch out for phishing: However, if stolen email addresses or contact details are leaked online, they may be used in targeted phishing campaigns, so be careful if you receive correspondence that appears to be from your school or Canvas itself. If there are any indications of a phishing attempt — such as strange grammar, spoofed email addresses, or requests to click unofficial links or open attachments — verify it by phone or another means first. 

Also: These 5 critical Windows Defender settings are off by default – turn them on ASAP

ZDNET has reached out to Instructure, and we will update if we hear back.