The global academic community is facing an imminent data disclosure threat as a major learning management system provider approaches a final extortion deadline. Forensic investigations have identified a legacy program as the primary catalyst for the intrusion.
The breach at the Canvas platform, managed by @[Instructure](urn:li:organization:1310123), was facilitated by a compromise of the Free-For-Teacher account system. While the vendor has now permanently discontinued this program to close the exposure window, ShinyHunters has extended the payment deadline to May 12, 2026. The group claims to hold 3.6 TB of exfiltrated student and faculty data. Instructure has confirmed the exposure of names, emails, and student IDs, though no evidence suggests passwords or financial data were accessed.
The shutdown of the Free-For-Teacher program effectively removes a key shadow IT vector that allowed attackers to bypass institutional security controls. However, the data already exfiltrated remains a potent asset for future spear-phishing campaigns targeting universities and research entities.
– Revoke all privileged credentials and rotate API keys associated with institutional Canvas tenants immediately.
– Prepare academic staff for a surge in highly personalized phishing attempts utilizing student ID numbers and internal messaging details.
– Audit all remaining third-party integrations and verify that no active sessions remain from the exposure window of April 30 to May 7.
– Implement phishing-resistant MFA for all institutional academic accounts to mitigate the risk of follow-on credential abuse.
The permanent removal of vulnerable legacy features is a necessary step in rebuilding the trust boundary of global educational infrastructure. #CodeDefence #Canvas #Instructure #ShinyHunters #DataBreach
/
