Canvas’s parent lives with a group of cybercriminals who have stolen user data

The company did not say what it paid the hacker group to obtain these terms.

Instructure, the parent company behind Canvas, the education management platform that was reportedly hacked by ShinyHunters, has reached an agreement with a group of cyber criminals, it said yesterday (11 May). The hackers gave the universities concerned until tomorrow (12 May) to negotiate an agreement.

According to the agreement, the cyber-fraud team returned the stolen information and removed the copies, and agreed not to defraud the institutions affected by the hack, Instructure said. The company did not say what it paid the hacker group to obtain these terms.

Reportedly created around 2020, ShinyHunters has claimed responsibility for elaborate, financially motivated attacks in recent years on groups such as Salesforce, Allianz Life, SoundCloud, Ticketmaster and Tinder-parent Match Group.

The group was linked to the breach of the European Commission’s Europa.eu platform in March, where 350GB of data, across databases, was reportedly accessed and stolen.

It reportedly began targeting edtech giant Instructure late last month, which first noticed unauthorized activity on Canvas on April 29, and later on May 7.

ShinyHunters said they were the ones who carried out this attack and said they stole 280m records. The threat actor also published a list of more than 8,800 institutions affected by its Canvas attack. In a May 3 ransom note, it threatened to leak “several billions of private messages between students and teachers.”

In Ireland, the platform is used by the likes of the University of Galway and Munster Technological University – both of which faced disruption following the hack.

Instructure, at the time, said the stolen data included user-identifying information such as names, email addresses, text messages and student ID numbers at the institutions involved. It has notified the US FBI and the Cybersecurity and Infrastructure Security Agency and other law enforcement agencies, he said.

In its latest update, the company said an unauthorized actor exploited an issue related to its ‘free teacher’ accounts to hack into Canvas. As a result, the feature has been temporarily disabled. Other services, however, are fully operational, it added.

“ShinyHunters has decided that this attack has bitten too much,” said Raluca Saceanu, CEO of Smarttech247.

“As the exam season continued and the school year drew to a close, schools and universities needed Canvas to work. That dependency gave ShinyHunters the power to set the terms of their agreement. For Canvas, and its parent Instructure, it was either agree to the terms or lose customers.”

“While the technical recovery time for ransomware attacks is increasing, attackers are responding by changing their focus and making the broader consequences of an organization more dangerous than ever.”

“It is not just a question of causing as much damage as possible. From the point of view of the attackers, these new methods are fast, cheap, stealthy and carry low technical risks. And the main rule of fraud holds anywhere – even if the victim pays, there is no guarantee data will not be disclosed anyway, and the organization has now marked itself as a more useful target,” Saceanu.

Don’t miss out on the information you need to succeed. Sign up for Daily BriefSilicon Republic’s digest of must-know sci-tech news.