Education giant Instructure has confirmed that data was stolen during a cyber attack, which the ShinyHunters gang has claimed responsibility for.
Instructure is a US-based education technology company best known for creating Canvas, a widely used learning management system that helps schools, universities, and organizations manage courses, assignments, and online learning.
On Friday, Instructure disclosed that it has encountered a cybersecurity incident and is working with third-party cybersecurity experts and law enforcement to investigate it.
On Saturday, the company issued an update saying that users’ personal information was exposed in the breach.
“Although we are continuing our ongoing investigation, so far, indications are that the data involved contains some information that identifies users at the affected institutions, such as names, email addresses, and student ID numbers, as well as messages between users,” reads the updated statement.
“At this time, we have received no evidence that passwords, birthdays, government identifiers, or financial information were involved. If that changes, we will notify any agencies involved.”
As part of the response, Instructure issued patches, increased monitoring, and rotated keys for applications as a precaution.
Customers are required to reauthorize access to Instructure’s API to issue new application keys.
While Instructure has not yet responded to BleepingComputer’s questions about when the breach occurred and whether they were being scammed, hacker group ShinyHunters has now listed the company on their data leak list.
“Approximately 9,000 schools worldwide were affected. 275 million individual data from students, teachers, and other staff contained PII,” the site of the data leak reads.
“Several billions of private messages between students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and additional data was involved.”
ShinyHunters claims data was stolen from Instructure via a vulnerability in their systems, which has now been patched.
The database allegedly contains more than 240 million records of students, teachers and staff. The threat actor says the information includes student names, email addresses, courses enrolled, and private messages to teachers.
The information shared by the threat actor shows that the suspected data set covers almost 15,000 institutions hosted in many regions, including North America, Europe and Asia-Pacific.
BleepingComputer could not independently confirm which schools or how many people were affected and has contacted Instructure with additional questions about the threat actor’s claims.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
