Data from Universities Around the World Put at Risk by Group of Hackers
Getty Images via Inside Higher Ed
On May 7, information from over 8,000 universities across the world was put at risk after the learning management system Canvas, owned by educational technology company Instructure, was hacked. The names of many users, school-based email addresses, student ID numbers, and personal messages were stolen, according to Instructure, as per CBC.
A group called ShinyHunters has claimed responsibility for the hacking, according to CBC. The group said that they had stolen the personal information of 275 million people, threatening to release it unless paid an undisclosed sum.
According to Malwarebytes, ShinyHunters has been active since 2019 and has been held responsible for the hacking of many websites and companies, including Google, Louis Vuitton, Chanel, and Adidas. Since 2020, they have stolen billions of user records from across hundreds of organizations.
On Apr. 29, according to the Instructure website, they “detected unauthorized activity in Canvas.”
“We immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts,” explained Instructure.
Then, on May 3, according to CNN, ShinyHunters said in a ransom note shared on Ransomware.live — a website that tracks ransomware groups and their victims — that they had breached 275 million individuals’ data and had access to “several billions of private messages.” They gave Instructure a deadline of May 6 to contact them.
Additionally, on May 7, Canvas’ login page was replaced with a ransom message starting with: “Shiny Hunters has breached Instructure (again).” The message went on to say that affected schools had until May 12 to negotiate a settlement, or the hacker group would leak students’ data.
Due to the hacking, many students were unable to hand in assignments or access school materials on Canvas, and final exams at some universities had to be postponed.
Finally, on May 12, an undisclosed ransom agreement was made with the hackers to retrieve the stolen data. The terms of agreement were not shared with the public; however, Instructure, the company behind Canvas, stated that the private data was returned to them.
