Instructure Data Breach Exposes Millions of Student Records

Severity: High (Score: 66.0)

Sources: Bleepingcomputer, Cybernews, News.Az

Summary

Instructure, the company behind the Canvas learning management system, confirmed a data breach involving a cyberattack by the ShinyHunters gang. The breach exposed personal information of users from nearly 9,000 educational institutions worldwide, affecting approximately 275 million individuals. The stolen data includes names, email addresses, student ID numbers, and private messages, while sensitive information such as passwords and financial data appears to be safe. Instructure is currently investigating the incident with external cybersecurity experts and has implemented security measures, including patching vulnerabilities and increasing monitoring. The attack reportedly exploited a vulnerability in Instructure's systems, which has since been addressed. The company has not disclosed when the breach occurred but is committed to transparency as it continues its investigation. Key Points: • Instructure confirmed a data breach affecting 275 million individuals across 9,000 institutions. • The ShinyHunters gang claimed responsibility, exploiting a vulnerability in Instructure's systems. • No evidence suggests that sensitive data like passwords or financial information was compromised.

Key Entities

• Data Breach (attack_type)
• Ransomware (attack_type)
• Infinite Campus (company)
• Instructure (company)
• PowerSchool (company)
• Salesforce (company)
• Education (company)
• CWE-200 - Exposure of Sensitive Information (cwe)
• news.az (domain)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1567 - Exfiltration Over Web Service (mitre_attack)
• Canvas (tool)