Security
ShinyHunters takes the credit and gives developer an F for security
Students around the world have an excuse to bunk off after hacking crew ShinyHunters did something nasty to educational SaaS Canvas.
Canvas is widely used by schools and universities to communicate with students, publish and store course material, and collect assignments.
An outfit called Instructure develops the software and an entry on its Status Page dated May 2 features Chief Information Security Officer Steve Proud stating the org “recently experienced a cybersecurity incident perpetrated by a criminal threat actor.”
“We are actively investigating this incident with the help of outside forensics experts. We are working quickly to understand the extent of the incident and actively taking steps to minimize its impact,” he added.
Numerous posts report that attempts to log into Canvas earlier this week failed, but did produce a notice from an entity claiming to be the notorious hacking crew ShinyHunters, who claimed the outage was only possible due to lax patching.
The crew also claimed to have stolen data from institutions that use Canvas and threatened to leak it unless a “settlement” is reached by May 12.
Canvas has thousands of customers, meaning any confirmed breach could have wide impact.
As of Thursday evening US time, Canvas says its wares are now available “for most users” and won’t offer further comment.
A student of The Register’s acquaintance – OK, one of my kids – shared an email advising that his uni has prevented access to Canvas while it tries to understand the situation and the risk of data leakage.
We’ve seen multiple universities posting notices about the incident that say more or less the same thing. Most also warn students of heightened phishing risk and urge caution.
Several also advise that as they require students to lodge assignments in Canvas, students can assume they have an extension on deadlines.
Your correspondent’s offspring does not mind this one little bit.
This is an evolving story. The Register will update it as more information becomes available. ®
