### ShinyHunters Breaches Canvas LMS: 6.65TB of Student Data Stolen in Largest Education Hack of 2026
May 8, 2026 | Washington D.C. — In what cybersecurity experts are calling the largest breach of an educational platform this year, the notorious hacker collective ShinyHunters claims to have stolen 6.65 terabytes of data from Canvas, the cloud-based learning management system used by over 9,000 schools and universities worldwide.
The breach exposes a troubling shift in cybercriminal tactics: instead of dumping data on dark web forums, ShinyHunters is directly extorting individual school districts with threats to publish sensitive student information.
#### Scope of the Breach: Millions Potentially Affected
Canvas, owned by education tech firm Instructure, serves more than 30 million students and educators globally. While Instructure has not confirmed the exact number of impacted accounts, ShinyHunters provided samples suggesting the stolen database includes:
- Personal Identifiable Information (PII): Full names, school email addresses, user IDs, and enrollment records of both students and faculty.
- Private Communications: Direct messages between teachers and students, discussion board posts, and assignment feedback comments.
- Academic Records: Submitted assignments, grades, attendance logs, and in some cases, IEP/504 plan notes for students with disabilities.
- Institutional Data: Internal course blueprints, administrative documents, and third-party app integration tokens.
Notably, Instructure stated that “there is no current evidence that Social Security numbers, financial information, or password hashes were accessed”, as Canvas does not store that data. However, experts warn that leaked messages could still be used for phishing or harassment.
#### Timeline of the Attack
According to a forensic summary shared with NDTV News:
1. Late April 2026: ShinyHunters exploited a zero-day vulnerability in a third-party analytics plugin integrated with Canvas’s legacy data warehouse.
2. April 27 – May 3: The group maintained access undetected, exfiltrating 6.65TB of data to offshore servers.
3. May 3, 2026: Instructure’s security team detected anomalous outbound traffic and cut access.
4. May 6, 2026: ShinyHunters posted samples on a Telegram channel and began emailing U.S. school districts demanding payment in Monero cryptocurrency.
#### Extortion Tactics: “Pay or We Leak Your Students’ Messages”
Multiple school districts in Texas, California, and New York confirmed receiving ransom emails. The messages threaten to release “embarrassing or confidential student-teacher conversations” unless a payment is made within 72 hours.
“This is FERPA nightmare fuel,” said Maya Chen, a cybersecurity analyst at the Center for Digital Education. “Unlike a corporate breach, student messages can involve mental health disclosures, disciplinary issues, or family problems. The legal and emotional fallout is massive.”
The U.S. Department of Education has opened an investigation into potential FERPA violations. Under FERPA, schools can face loss of federal funding if they fail to protect student education records.
#### Who Are ShinyHunters?
Active since 2020, ShinyHunters is a financially motivated group known for high-profile breaches of Microsoft, AT&T, Ticketmaster, and PowerSchool. They typically sell data on BreachForums, but this Canvas incident marks a pivot to direct extortion of victims rather than third-party buyers.
#### Instructure’s Response
In a May 7 statement, Instructure said:
> “We identified and patched the vulnerability immediately. We have engaged Mandiant to lead our investigation and notified federal law enforcement. We are also resetting all API tokens for third-party integrations.”
The company will offer 24 months of free credit monitoring to staff and students whose PII was confirmed stolen, though notification emails have not yet gone out due to the volume of data.
#### What Should Users Do Now?
1. Change Passwords: Update your Canvas password and any other accounts where you reused it.
2. Enable 2FA: If your school offers multi-factor authentication for Canvas, turn it on.
3. Watch for Phishing: Expect scam emails that reference real class names or teachers to seem legitimate.
4. Parents: Ask your district if your child’s data was in Canvas messages and request FERPA records if concerned.
#### The Bigger Problem: EdTech’s Security Debt
This breach highlights the security risks of consolidated edtech platforms. Canvas became the default LMS during COVID-19, but many districts still connect decades-old plugins without regular audits.
“Schools are data-rich but security-poor,” Chen added. “We need federal minimum standards for edtech vendors, because right now, a breach of one company exposes 9,000 districts.”
The FBI and CISA have issued a joint advisory urging all educational institutions to audit third-party LMS integrations immediately.
0 commentaires:
Enregistrer un commentaire