Educational institutions in the United States are attempting to negotiate directly with the hacker group ShinyHunters after the learning platform Canvas was hit by a large-scale cyberattack.
According to Reuters and the security website KrebsOnSecurity, some schools have already contacted the attackers to prevent stolen data from being made public.
The attack targets Canvas, the widely used digital learning platform from software company Instructure. ShinyHunters claims to have stolen approximately 6.65 terabytes of data from nearly 9,000 schools and universities worldwide. According to KrebsOnSecurity, this may involve data from approximately 275 million students, teachers, and staff members.
The stolen information reportedly consists of names, email addresses, student ID numbers, and private communications within the platform. The hackers also claim to have obtained billions of messages between students and faculty. Instructure says it currently has no indication that passwords, financial data, dates of birth, or official identification numbers have been compromised.
Attack in the middle of exam period
The impact of the incident became apparent last week when students and staff suddenly saw a ransom note from ShinyHunters upon logging into Canvas. The hackers had temporarily replaced the normal login page with a message urging schools to contact them directly for negotiations.
According to KrebsOnSecurity, this occurred at an extremely sensitive time. Many schools and universities are currently in the middle of exam weeks and final assignments, meaning disruptions have immediate consequences for classes, deadlines, and exams.
Instructure subsequently took Canvas, Canvas Beta, and Canvas Test offline temporarily. The regular environment became available again a few hours later, while access to the test and beta environments remains limited for the time being.
ShinyHunters previously published a list of approximately 1,400 affected schools and districts and stated that institutions could negotiate independently to prevent the publication of their data, regardless of whether Instructure itself would pay.
Deadline pushed back
According to the hackers, the original payment deadline was May 6, but it was later pushed back to May 12. This fuels speculation that discussions or negotiations are underway. According to sources at KrebsOnSecurity, several universities have since actually reached out to the group.
Notably, references to Instructure also disappeared later from ShinyHunters’ extortion website. In the ransomware world, this often happens when a victim pays or negotiations take place, though there is no confirmation of this.
Instructure reported in early May that the incident had been contained and that there were no indications of ongoing unauthorized activity. Nevertheless, hackers were able to visibly intervene again a few days later by modifying the Canvas login page.
According to Instructure, the attackers exploited a vulnerability within Free-for-Teacher, an environment that allows users to test parts of Canvas without a full educational license. The company has temporarily disabled that service.