Hackers Deface Canvas Login Pages, Threaten to Leak 231 Million Records

Context On Tuesday Instructure disclosed a breach that exposed student names, personal email addresses and teacher‑student messages from nearly 9,000 schools. The same threat actor resurfaced this week, targeting the company’s Canvas learning‑management system.

Key Facts - ShinyHunters placed a custom HTML file on the login screens of three separate schools, replacing the normal sign‑in form with a ransom note. The note demands a settlement and threatens to publish the stolen data on May 12. - Instructure’s spokesperson confirmed the alteration exploited a flaw in the Free‑For‑Teacher account feature. The company responded by shutting Canvas down “out of an abundance of caution” and disabling those free accounts. - The group claims the original breach yielded data on 231 million individuals, a figure derived from the 9,000 schools affected. - Canvas later returned online with a maintenance banner, but the incident underscores persistent access to the platform’s authentication layer.

What It Means The attack demonstrates a two‑stage extortion model: first, exfiltrate large data sets; second, use visible defacement to pressure the vendor into payment. By targeting the login page, the actors gained a high‑visibility foothold without needing to compromise additional backend systems. The use of HTML injection suggests a web‑application vulnerability, possibly a lack of proper input sanitisation on custom login pages.

Mitigations – What Defenders Should Do 1. Patch and Review Free‑For‑Teacher Accounts – Disable or tightly restrict any publicly accessible account creation features until a security review confirms they cannot be abused for code injection. 2. Implement Content‑Security Policy (CSP) – Enforce a CSP that blocks inline scripts and unauthorized external resources, limiting the impact of injected HTML. 3. Deploy Web‑Application Firewalls (WAF) – Use rule sets that detect and block anomalous HTML payloads targeting login endpoints. 4. Monitor for Unauthorized Changes – Enable file‑integrity monitoring on web servers and set alerts for modifications to login page assets. 5. Conduct Red‑Team Exercises – Simulate credential‑theft and page‑defacement scenarios to validate detection and response processes. 6. Prepare Incident Response Playbooks – Include steps for rapid service takedown, public communication, and coordination with law‑enforcement when extortion demands arise.

The next critical development will be whether ShinyHunters follows through on the May 12 deadline, and how Instructure’s remediation efforts affect the broader education‑tech supply chain.