ShinyHunters claims nearly 9,000 schools affected by Canvas data breach

ShinyHunters, the prolific criminal hacker and extortion group, on Thursday provided additional details about its recent breach of Canvas, the learning management system developed by Instructure, with hopes of coaxing payments from some of the nearly 9,000 educational institutions it claims are affected.

After announcing on May 1 that it had exfiltrated several terabytes of data containing the personal information of 275 million users, it announced a deadline of Thursday before “everything is leaked and there will be no chance at a negociation for anyone. Instructure has not even bothered speaking to us to understand the situation or to even negociate with us to prevent the release of this data. Our demand was not even as high as you might think it is.”

On Thursday, the group presented to Canvas users a second message and extended the deadline for payment until May 12. “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’,” the note reads. The group advised affected schools to consult security professionals and use the Tox messaging protocol to negotiate a “settlement.”

The attached list of affected institutions includes many school districts, along with well-known universities, including Cambridge, Columbia, Cornell, Georgetown, Harvard, MIT and UC Berkeley.

There are mixed reports of exactly which organizations are affected and what sort of data is included in the breach. Tech Radar reported that affected data includes names, email addresses, student ID numbers and user communications, but that passwords, dates of birth and financial information were not involved.