INSTRUCTURE , the U.S.-based educational technology firm behind Canvas, is investigating a cyber incident that exposed users’ personal data, with the company stating the incident is contained as investigations continue. The breach appears to involve identifying information such as names, email addresses and student ID numbers, and some user messages, while there is no evidence that passwords, dates of birth, government IDs or financial data were involved, according to the Incident Report.
The company has revoked privileged credentials and access tokens, deployed security patches, rotated some keys as a precaution, and increased monitoring across systems while it monitors for new findings. ShinyHunters, the extortion group, claimed responsibility for the attack and added the company to its data leak site, with the attackers stating that nearly 9,000 schools worldwide were affected and that hundreds of millions of individuals’ data could be involved, according to the group’s leak site.
Instructure says it continues to monitor the situation and will notify institutions if new findings emerge, while updating its status page and working to strengthen system security.