Ransomware Group ShinyHunters Disrupts Canvas LMS, Affecting 30 Million Students and Educators
What Happened — The ransomware gang ShinyHunters compromised Instructure’s Canvas learning‑management system, redirecting users to a ransom note and forcing the vendor to take the platform offline. The attackers exploited an unspecified vulnerability in the free “Free‑For‑Teacher” version, leading to two breach attempts within a week.
Why It Matters for TPRM —
- Service outage impacts academic continuity for millions of K‑12 and higher‑education users.
- Threat actors claim to have exfiltrated student and teacher data from ~8,000 institutions, raising data‑privacy risk.
- The incident highlights supply‑chain exposure when a SaaS vendor’s free tier is leveraged as an attack surface.
Who Is Affected — K‑12 schools, colleges, universities, and other educational institutions worldwide that use Canvas (≈30 M active users).
Recommended Actions — Review Instructure’s security controls and incident‑response posture, validate that no credential or data leakage occurred, and ensure contractual clauses address vulnerability management for free‑tier services.
Technical Notes — Attack vector: exploitation of an undocumented vulnerability in the Free‑For‑Teacher version of Canvas; no evidence of persistence, credential theft, or data exfiltration was found by Instructure’s forensics. The ransomware note was delivered via page redirection after login. Source: DataBreachToday