Schools Negotiated with ShinyHunters After 6.65TB Canvas Breach Exposes 9,000 Institutions

Context Canvas, Instructure’s learning‑management system, serves about 30 million active users from kindergarten through college. On May 1 the company announced it was investigating a cybersecurity incident. The next day its CISO said the compromised data included user names, email addresses, student IDs and private messages. The attack originated in the Free‑for‑Teacher service, a publicly facing component that lets educators create courses without a paid license.

Key Facts - On May 3 ShinyHunters posted that they had exfiltrated roughly 6.65 TB of Canvas data, impacting close to 9,000 schools globally. - On May 5 the group said Instructure had not entered talks over their extortion demand, describing the amount as “not even as high as you might think it is,” and listed about 1,400 schools as open for direct negotiation. - Instructure took Canvas offline on May 7 for approximately four hours, restored access after confirming hackers had altered pages visible to some users, and subsequently shut down the Free‑for‑Teacher service pending further review. - As of May 7 ShinyHunters removed their public messages about the incident, a behavior that sometimes signals ongoing negotiation or payment.

What It Means The breach highlights how a vulnerability in a publicly accessible service can be leveraged to harvest massive volumes of educational data. Attackers likely used an exploit of the Free‑for‑Teacher component (MITRE ATT&CK T1190 – Exploit Public‑Facing Application) to gain initial access, then exfiltrated data via standard web protocols (T1041 – Exfiltration Over C2 Channel). For defenders, the immediate steps are: 1. Verify that the Free‑for‑Teacher service is disabled or patched; apply any vendor‑issued advisory for the affected component. 2. Monitor logs for anomalous authentication attempts and unusual outbound data transfers, especially to unfamiliar IP ranges. 3. Enforce multi‑factor authentication on all admin and educator accounts to mitigate credential‑based follow‑on attacks (T1078 – Valid Accounts). 4. Review third‑party integrations and ensure least‑privilege access principles are applied across the Canvas environment. 5. Consider deploying a web‑application firewall rule set that blocks known exploit patterns targeting the service’s API endpoints.

What to watch next Watch for any official statement from Instructure regarding potential payment or data‑release decisions, and monitor whether ShinyHunters attempts to sell or leak the claimed 6.65 TB dataset on underground forums.