Keypoints
- ShinyHunters claims it breached Instructure’s Canvas system.
- Nearly 9,000 educational institutions are said to be affected.
- The group extended its payment deadline to May 12.
- The alleged stolen data includes names, emails, student IDs, and user communications.
- Harvard, MIT, Columbia, and UC Berkeley are among the named institutions.
The group that stole data from Instructure users claims that it will release the data of students from nearly 9,000 education institutions around the country.
Listen to this article
0:00
Learn more.
This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Getty Images)
ShinyHunters, the prolific criminal hacker and extortion group, on Thursday provided additional details about its recent breach of Canvas, the learning management system developed by Instructure, with hopes of coaxing payments from some of the nearly 9,000 educational institutions it claims are affected.
After announcing on May 1 that it had exfiltrated several terabytes of data containing the personal information of 275 million users, it announced a deadline of Thursday before “everything is leaked and there will be no chance at a negociation for anyone. Instructure has not even bothered speaking to us to understand the situation or to even negociate with us to prevent the release of this data. Our demand was not even as high as you might think it is.”
On Thursday, the group presented to Canvas users a second message and extended the deadline for payment until May 12. “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’,” the note reads. The group advised affected schools to consult security professionals and use the Tox messaging protocol to negotiate a “settlement.”
The attached list of affected institutions includes many school districts, along with well-known universities, including Cambridge, Columbia, Cornell, Georgetown, Harvard, MIT and UC Berkeley.
Advertisement
There are mixed reports of exactly which organizations are affected and what sort of data is included in the breach. Tech Radar reported that affected data includes names, email addresses, student ID numbers and user communications, but that passwords, dates of birth and financial information were not involved.