Oh my … I’m really trying not to go on any more diatribes, because we really haven’t learned anything. But here we go again with more educational stuff.
The hacker behind a breach at education technology giant Instructure claims to have stolen 280 million records tied to students and staff from 8,809 colleges, school districts, and online education platforms.
The next paragraph talks about who this company is.
Instructure is a cloud-based education technology company best known for its Canvas learning management system, which schools and universities use to manage coursework, assignments, grading, and communication.
Canvas is similar to Blackboard, and I understand there are multiple articles out about a potential issue there. One came from my Transit Security feed from Google News and one came from CNN that Herbie told me about.
At this time, I’ve not read about Blackboard yet, so I am not going to go any further in that discussion than to say that we are aware that they have been pilfered too.
The article continues:
Last Friday, Instructure disclosed that it was investigating a cyberattack and later revealed that it had suffered a data breach, during which users’ names, email addresses, and private messages were exposed.
Is that all this company has on everyone, or is there more we don’t know? That’s going to be the biggest question.
While some schools are talked about within the article, we’re talking 8800 plus schools, and possibly district info too.
Who do you think the supposed actor group is that claimed responsibility for the attack? You have ten ruler lines to make your guess.
1
2
3
4
5
6
7
8
9
-
Time is up. If you guessed Shiny Hunters, you’re correct.
Shiny Hunters has been around awhile, and is still going strong by the looks of this. From what I’ve read, no money figure was given in regards to what they want for all this data, unless I missed it.
The ShinyHunters extortion gang claimed responsibility for the attack and says it stole 280 million records for students, teachers, and staff.
My question is whether children are involved, or whether these are adult students. Curious minds want to know.
The threat actors have now published a list of 8,809 school districts, universities, and educational platforms whose Canvas instances were allegedly impacted by the attack, sharing record counts per institution with BleepingComputer.
Great. So they’re doing PR to show what they have, and now Bleeping has to figure out what is true and what isn’t. BTW, Have I Been Pwned does not show anything about the Canvas breach at this time. Xposedornot does not have this in their database either.
The record counts for each educational institution range from tens of thousands to several million per institution.
Great! Several thousand for my institution, at least a quarter million for Preston’s institution, and up to a million for Nick’s institution. If not several thousand for me, then tens of thousands for me. Then how the hell can I verify that type of a claim without knowing what the hell you have? Oh my.
BleepingComputer is not naming specific organizations listed by the threat actor, as we have not independently verified whether they were impacted by the breach.
Good. Don’t name anyone that can’t be confirmed. That’s great reporting, and we respect great reporting.
The threat actor claims the data was stolen using Canvas data export features, including DAP queries, provisioning reports, and user APIs, and that they harvested hundreds of gigabytes of user records, messages, and enrollment data.
So the company hasn’t been truthful, as the claim now is that there is enrollment data. What is included in enrollment data? Probably everything including but not limited to name, address, phone number(s), email address, SSN, date of birth, and possibly more that I did not mention.
Is Canvas at fault here? Did they come out and tell the truth? Read the full article titled Instructure hacker claims data theft from 8,800 schools, universities for complete details.
The company has not responded to Bleeping Computer’s inquiries. Comment requested.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.
One thought on “Another Educational technology company pilfered, tons of schools affected”