Instructure, a prominent player in the education technology sector, has acknowledged a significant data breach impacting the private information of students. The hacking group known as ShinyHunters has claimed responsibility for this incident.
The breach reportedly involved the theft of sensitive data, including students' names, personal email addresses, and communications exchanged between teachers and students, all of which Instructure has confirmed were compromised.
This incident marks another chapter in a series of cyberattacks attributed to the ShinyHunters group, which has previously targeted various educational institutions and cloud database providers. Their strategy often involves stealing extensive personal information and threatening to publish it unless a ransom is paid.
A sample of the stolen data shared by a ShinyHunters member included information from two unnamed U.S. schools--one located in Massachusetts and the other in Tennessee. The Massachusetts data featured messages containing names, email addresses, and some phone numbers, while the Tennessee data included full names and email addresses. Importantly, the sample did not reveal passwords or other types of sensitive information that Instructure claimed remained secure.
While TechCrunch has chosen not to identify the schools involved, they appear to utilize Instructure's Canvas platform, which supports coursework management and student-teacher communication.
ShinyHunters has also released a list of approximately 8,800 institutions they allege were impacted by the breach. However, it remains unverified whether all listed entities are indeed Instructure clients. According to Instructure, the company serves over 8,000 educational institutions.
Instructure's spokesperson, Kate Holmes, directed inquiries to the company's official updates regarding the breach, without providing specific details about the incident.
On their data leak site, ShinyHunters claims that the breach has affected nearly 9,000 schools globally, encompassing data from around 275 million individuals, including students, teachers, and staff. A member of the group indicated that the total count of unique emails involved in the breach could reach 231 million. However, it is important to note that financially driven hacking groups often exaggerate their claims to attract media attention and pressure their targets.
As of Tuesday, Instructure announced that some of its services, including Canvas, have been restored following maintenance, indicating a commitment to recovering from this incident.
