Schools Negotiate Directly with ShinyHunters After 6.65 TB Canvas Breach

*TL;DR ShinyHunters exfiltrated 6.65 TB of Canvas data affecting almost 9,000 schools; many districts are now negotiating directly with the group to prevent exposure.*

Context Canvas, the learning‑management system used by 30 million students worldwide, suffered a massive data breach in late April. Instructure, Canvas’s parent company, announced an investigation on May 1 and restored service by May 6. The breach resurfaced on May 7 when students saw a note from the hacking group ShinyHunters on the login page, forcing Instructure to take the platform offline for a few hours.

Key Facts - ShinyHunters disclosed on May 3 that it had stolen roughly 6.65 TB of data, including student names, email addresses, IDs and private messages between students and staff. The data spanned nearly 9,000 schools across the globe. - The group claimed Instructure had not contacted them and that its ransom demand was “not even as high as you might think it is.” - A list of about 1,400 schools and districts was posted, inviting each to negotiate directly with the hackers to avoid a public dump of the data. - On May 7, the note appeared on Canvas login screens; Instructure briefly disabled Canvas, Canvas Beta and Canvas Test, restoring the main service after four hours while keeping the test environments in maintenance mode. - Schools reported disruption to end‑of‑year assignments and exam preparation as students and staff could not access coursework.

What It Means The breach highlights the risk of third‑party SaaS platforms storing large volumes of personally identifiable information (PII). Attackers leveraged likely credential‑stuffing or API key theft to extract data, a common tactic catalogued as ATT&CK technique T1078 (Valid Accounts). No specific CVE (software vulnerability) has been disclosed, suggesting the compromise stemmed from weak authentication or misconfigured access controls rather than a software flaw.

Mitigations - Enforce multi‑factor authentication for all Canvas accounts, especially privileged users. - Rotate API keys and service accounts regularly; audit for unused credentials. - Deploy credential‑access monitoring to detect anomalous logins (ATT&CK T1110 – Brute Force). - Apply least‑privilege principles: restrict message‑view permissions to only those who need them. - Conduct a full forensic review of Canvas logs for signs of exfiltration and share findings with Instructure’s incident response team. - Update incident‑response playbooks to include third‑party SaaS breach scenarios and establish clear communication channels with vendors.

What to Watch Next Watch for any public release of the stolen data, which could trigger phishing campaigns targeting students and staff, and monitor Instructure’s forthcoming security advisory for additional hardening steps.