Hackers Exploit Canvas XSS Flaws to Steal 3.6 TB of Data and Deface LMS Portals
What Happened — Instructure’s Canvas learning‑management system was compromised via multiple cross‑site scripting (XSS) vulnerabilities. Attackers first exfiltrated ≈ 3.6 TB of data (≈ 275 million records) and later reused the same flaw to hijack admin sessions and deface login portals with an extortion message.
Why It Matters for TPRM —
- Large‑scale credential and student‑record exposure across thousands of schools.
- Demonstrates how a single web‑app flaw can enable both data theft and ransomware‑style extortion.
- Highlights the risk of free‑tier SaaS offerings that may receive fewer security hardening resources.
Who Is Affected — K‑12 schools, colleges, universities, and online education platforms that use Canvas (≈ 8,800 institutions).
Recommended Actions —
- Verify that any third‑party LMS providers have patched XSS issues and conduct code‑review of user‑generated content handling.
- Re‑assess data‑classification and encryption controls for student information stored in SaaS LMS solutions.
- Require evidence of incident‑response and forensics from the vendor; update contracts to include breach‑notification clauses.
Technical Notes — The breach leveraged XSS bugs in user‑generated content features, granting attackers authenticated admin sessions. No CVE was publicly assigned at time of reporting. Stolen data includes usernames, email addresses, course enrollments, and messages. The defacement used the same XSS vector to inject malicious JavaScript into the login page. Source: BleepingComputer