Access to Canvas has been fully restored following last week’s widespread outage that ensnared thousands of universities , schools, and online home school providers. However, Canvas’s developer, Instructure, has temporarily shut down the “Free-For-Teacher” service after hackers exploited it to infiltrate the platform.
The Free-For-Teacher Accounts
As PCMag reports, for hours on Thursday, May 7, students and professors struggled to access the online platform used to submit assignments and tests. Instructure now says it took Canvas offline as a precaution after the cybercriminal gang ShinyHunters placed an extortion note on the service. “We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” the company said in a FAQ about the incident.
Instructure didn’t elaborate on the nature of the vulnerability. But it looks like the company’s free offering for teachers created a pathway to hijack portions of the online system. ShinyHunters has been known to make English-language phone calls and impersonate employees to trick company employees into granting internal access.
The hackers initially exploited Free-For-Teacher accounts on April 29, which Instructure previously disclosed. But while Instructure seemingly booted the hackers, ShinyHunters regained access on Thursday to post the extortion note across Canvas.
The good news is that Canvas found no evidence that any user information was stolen this week. However, the hackers were able to loot data during the April 29 intrusion, including “names, email addresses, student ID numbers, and messages among Canvas users.”
Instructure says it has fully removed the hackers. But to do so, the company decided to pull the Free-For-Teacher service offline as it works to bolster Canvas security. “This was a difficult decision because Free-For-Teacher accounts are an important part of our platform, but it was the right step to protect customers and users while we complete additional safeguards,” it says.
‘Presumably, Parents Will Be Outraged’
The outage has likely dealt a major reputational blow to Instructure and Canvas. Malware research and library service VX Underground notes that it doesn’t appear ShinyHunters stole highly sensitive information, only names and school-related email addresses. Nevertheless, the breach exposed details about underage students since Canvas is also widely used by K-12 school districts.
“Presumably, parents will be outraged, and this will inevitably result in a lawsuit against the schools or Canvas,” VX Underground adds. In the meantime, some universities are delaying final exams due to the Canvas outage. The stolen messages between students and teachers over Canvas could also expose sensitive details.
It remains unclear if Canvas paid a ransom to ShinyHunters, which threatened to leak the stolen data. The group reportedly removed Infrastructure from its website, suggesting that a deal had been made. “We are not commenting and have no further comment to make regarding this global incident,” ShinyHunters says.
—
Photo Credit: VideoFlow / Shutterstock.com
