INSTRUCTURE , the Canvas Learning Management System maker, has come to terms with the cybercriminal extortion group responsible for data stolen in a breach affecting nearly 9,000 educational institutions. According to incident update, the company has “reached an agreement with the unauthorized actor involved in this incident,” though it has not stated whether money changed hands.
The stolen data has reportedly been returned, with digital confirmation of its destruction and assurances that no Instructure customer will be separately extorted. The attackers are understood to be the ShinyHunters collective, and the campaign saw a second wave on 7 May when roughly 330 institutions had their Canvas login portals defaced with extortion messages, ahead of a 12 May negotiation deadline.
The original breach purportedly siphoned about 275 million records, including usernames, email addresses, course names and enrollment information, while Instructure says course content and credentials were not compromised. In response, the firm temporarily shut down Free-For-Teacher accounts, revoked privileged credentials, rotated internal keys and deployed additional security controls.