Instructure Disables Free-For-Teacher Canvas Accounts After Hack Exposes Student Data

TL;DR: Instructure temporarily disabled Free-For-Teacher Canvas accounts after attackers altered login pages to demand private TOX contact, exposing student data; the platform is now fully restored.

Context On the day of the incident, a Weber State University nursing student saw a brief pop‑up message while submitting an assignment in Canvas. The message warned that schools could prevent data release by contacting the attackers via the encrypted TOX chat platform. She captured a screenshot, logged out, and notified her institution’s IT team, which prompted Instructure to investigate.

Key Facts Instructure confirmed that an unauthorized actor exploited a vulnerability tied to Free-For-Teacher accounts, modifying the pages shown to some students and teachers. The attackers demanded that affected schools reach out privately on TOX to avoid public disclosure of the compromised data. As a precaution, Instructure took Canvas offline, shut down the Free-For-Teacher tier, and later restored the service after verifying the fix. The breach potentially affects millions of Canvas users across K‑12 and higher education.

What It Means The incident highlights how a flaw in a specific account type can be leveraged for widespread disruption and extortion. Schools relying on the free tier lost access until the shutdown, and the TOX demand suggests attackers sought direct negotiation rather than immediate public leak. No public attribution has been made, but the use of TOX indicates an attempt to avoid traceable communication channels.

Mitigations - Apply Instructure’s patch for the Free-For-Teacher account vulnerability (refer to advisory IS‑2024‑001). - Enforce multi‑factor authentication for all Canvas admin and teacher accounts. - Deploy web‑application firewall rules to block unauthorized page modifications and monitor for unexpected JavaScript injections. - Review logs for TOX‑related outbound connections and alert on any contact attempts from known threat‑actor infrastructure. - Educate users to report anomalous pop‑ups immediately and to avoid engaging with extortion demands.

What to watch next: Instructure’s post‑mortem report, any further extortion attempts via TOX, and whether law enforcement attributes the activity to a known cybercrime group.