ShinyHunters Threatens to Leak 3.5 TB of Student Data as Canvas Restores Service

*TL;DR: ShinyHunters says it stole 3.5 TB of student data and will publish it unless a ransom is paid by May 12; Canvas is now functional for most users but many institutions remain in recovery.*

Context The web‑based learning platform Canvas, operated by Instructure, supports roughly 30 million users worldwide and serves about 9,000 schools and universities. On May 3 the service went offline after a breach attributed to the ShinyHunters cybercrime group. The outage coincided with end‑of‑year exams in the United States and other regions, prompting urgent calls for continuity.

Key Facts - ShinyHunters announced it exfiltrated 3.5 TB of data, including names, email addresses, student IDs and private messages, and set a May 12 deadline for a ransom payment. - Instructure reported on Saturday that Canvas is “available for most users” and that no new incidents were observed that day. - Universities in Australia, Canada and the United Kingdom confirmed partial restoration; the University of Sydney still blocks access pending checks, while the University of Alberta reports reduced functionality. - The FBI confirmed awareness of a service disruption affecting educational institutions but did not name Canvas. - Affected institutions span the United States, the Netherlands, Sweden, Australia and the United Kingdom, with major schools such as Penn State, Harvard, Columbia and Georgetown scrambling to adjust exam schedules. - ShinyHunters, active since 2019, previously claimed credit for the Rockstar Games breach. Their tactics include data theft followed by extortion demands, a pattern reflected in the current incident.

What It Means The breach highlights the vulnerability of large‑scale SaaS (software‑as‑a‑service) platforms that store sensitive personal data. With millions of students potentially exposed, the incident could trigger compliance investigations under regulations such as FERPA (U.S. education privacy law) and GDPR (EU data‑protection rule). Institutions may face legal exposure if personal data is published.

Mitigations – What Defenders Should Do 1. Patch and Harden – Verify that all Canvas components run the latest versions; apply any vendor‑issued patches immediately. 2. Monitor for Credential Abuse – Deploy detection rules for MITRE ATT&CK technique T1110 (Brute Force) and T1078 (Valid Accounts) to spot suspicious logins. 3. Encrypt Data at Rest – Ensure that stored student records are encrypted using strong algorithms (e.g., AES‑256) to limit impact of exfiltration. 4. Implement Multi‑Factor Authentication (MFA) – Require MFA for all administrative and privileged accounts to block credential‑based lateral movement. 5. Conduct Incident Response Drills – Test communication plans for data‑leak extortion scenarios, including legal counsel and public‑relations coordination. 6. Review Third‑Party Access – Audit API keys and integrations for unnecessary permissions; revoke any that are not essential. 7. Prepare for Disclosure – Draft breach‑notification templates that satisfy FERPA and GDPR timelines, should the data be released.

Looking Ahead Watch for any public release of the stolen data and for updates from Instructure on whether a ransom was paid or a law‑enforcement takedown is underway.