Instructure confirms hackers used Canvas flaw to deface portals
BleepingComputer • • nation
Key Points:
- Education technology company Instructure confirmed a security vulnerability in its Canvas LMS allowed hackers to modify login portals and leave an extortion message.
- The breach involved multiple cross-site scripting (XSS) vulnerabilities that enabled attackers to gain authenticated admin sessions and perform privileged actions.
- The hacking group ShinyHunters stole over 3.6 terabytes of data, including usernames, email addresses, course details, and messages, and later attempted to extort Instructure by defacing login portals.
- Instructure temporarily took Canvas offline, shut down Free-for-Teacher accounts, and has since restored the platform while applying additional safeguards.
- No data was compromised during the login portal defacement, but the initial breach resulted in significant data theft affecting schools and educators using Canvas.