Cyberattack knocks Canvas offline, millions face data exposure; Interview with cybersecurity expert

Added: 2026-05-09

[00:00:00]First off, explain what you know about the Canvas hack.

[00:00:03]>> Well, there's actually been two hacks.

[00:00:05]One was last week, Wednesday, and that was a real minor one, more of a warning shot, so to speak. And what it did, um, it alerted, you know, and they they gave the initial, uh, uh, ransom attempt, I think, at that time. um Instructure, which owns the Canvas platform, uh patched up their system, thought they kicked them out and thought they had everything under control and everything was back up and running uh for the following seven, eight days. And then this past on yesterday and Thursday, uh the bigger outage came during the day and uh it took them down. However, uh props to instructure and their IT department that um within a day or a little over a day or so, they've been able to get back online. Um they've, you know, I'm presuming they had a good sit good monitoring was in place. They identified what systems were affected.

[00:01:02]It looked like it was from their free teacher platform, uh free access for teachers platform. So they got that stabilized. Um so they there still is a minor disruption for their uh platform.

[00:01:17]However, they were able to get the vast majority of the users specifically all the students and a lot of other the teachers and uh organizations on uh back online. Um but uh it's impressive in that regard knowing who they're going against. Um, Shiny Hunters is a well-known uh threat actor group. Uh, they've been very active the last few years. They've gone after quite a few uh big targets. Um, in 2024 they went after took down uh ticket master. uh last few years 25 and 26 they went after Salesforce, Google, uh Louis Vuitton, Gucci, Adidas, uh Jaguar, Land Rover, Coinbase, Quantis, uh some a lot of big huge companies and the security companies have done a lot of research on this organization. So there is quite a bit about them. Primarily, uh Shiny Hunters is going after money, plain and simple. Um they are uh notorious um they're believed to be formed in around 2019 2020. Uh they go after largecale uh data breaches. They extort uh and then they'll sell the data that they have. Um to that end um I know that uh Instructure has put out and they've got some things on their page and have you looked at instructure.com incident update? They had one. you probably want that page. I can uh probably send that link to you. Otherwise, it's instructor.com. But they've got uh frequently asked questions. So, that'll be a lot of good things for you with that in there. But, um one of the things that I'm concerned about was what personally identifiable information was uh compromised. And they've said that they um uh let me get that exact uh uh what information was involved. Here we go.

[00:03:18]Um, you know, names, email addresses, student ID numbers, and messages, internal messages amongst the Canvas users.

[00:03:28]They say that they found no evidence that passwords, date of birth, government identifiers, meaning social security numbers or financial information was involved. Hopefully, that is true. However, what I recommend for everyone, even students, even young, you know, young people and everything else there is, uh, freeze your credit with the three credit reporting bureaus.

[00:03:52]Um, I'm sure people have heard this over time. It takes about 10 15 minutes hopefully. Um, you know, it depends. If people need help, they can reach out.

[00:04:02]You know, I've helped customers with that, but um, other you know, they can talk. You know, I know if um uh maybe family members, somebody else can help them, but if they freeze their credit and lock out the hackers from that, that is one less thing that uh um you know, one uh less thing to worry about for them. Um because unfortunately, I think there have been so many of these. I mean you've interviewed me enough times just on these data breaches everything else there but there have been so many of these and so much almost everyone in the US uh their information has been compromised >> right and on that um you mentioned that they should freeze their credit um how long do you suggest that that people do that for? Well, it's in indefinite uh freezing their credit, but what happens is they can put a thaw on it or temporarily unfreeze it for a few days.

[00:05:01]So, if in the event that they do need um let's say they need to take out a loan, somebody's buying a new vehicle or um a new property, you know, another home mortgage or buying a cottage up north or something, what they can do is go in to that place, contact them, you know, if they've if they've got an email address and password set up and they log into it, they can actually control it for a couple days. Otherwise, if they contact them, they'll have to verify who they are and everything. But um uh go through that and um thought it for a couple days. Let the you know financial institution, the bank, credit union, uh the lender check on it. They'll pull their credit. They get back notified that it's approved and then they will um uh they can go back and refreeze uh their credit again. That way it keeps the hackers, the identity thieves out of it. If an identity thief takes over it, they can populate it with their own data. They can make stuff up. They can control it and everything else there.

[00:06:03]They can take out credit in people's names. So, $5,000 credit card could be taken out and they put a fake address down. Well, guess what? Eventually, the credit card company will catch on.

[00:06:17]They'll look at the last known address.

[00:06:19]It'll eventually get turned over to you and they'll go after you for collecting.

[00:06:23]So obviously this uh hack put a lot of um universities and school districts out of sorts for for a little while there.

[00:06:30]Um is it a problem that uh you know they're they're so reliant on on one system? You know one one hack uh could take care of uh you know a lot of different people. Sounds like >> Yeah. And the timing of this should be noted. Um they went for the most the biggest impact. Right now it's during finals. It's um you know people are waiting you know uh graduation is approaching uh end of the school year.

[00:06:58]This was a welltimed out um attack as far as having um being reliant on one.

[00:07:06]It's important that they vet and check out the vendor and they ask a lot of questions. They find out how prepared the vendors are for situations like this. And in this case, Instructure, the company that owns Canvas, it right now, it appears that they have responded pretty well to it and they were prepared. Now, um, you know, they they weren't able to prevent it from happening, but they were able to respond and try to minimize the damage that occurred. So right now it appears that uh instructure did a very good job uh with their incident response planning and their uh preparations for this. Um hopefully the they'll share some of this with the cyber security world going forward. will be able to use this as a case study and find out more information what they did right, things that they've identified that really were very important that helped um minimize the damage. Um you know uh unfortunately you know they had down they had an outage.

[00:08:17]It impacted their services that they offered. It inconvenienced the students and the teachers and all the schools and everything. But um to come back within a day when we've seen other outages, other ransomware attacks take weeks or months to recover from. Um even some have put organizations out of business. They've never recovered and they basically shut their doors because of that. So um hopefully uh they're up for a while here. They're able to get through this and um can move forward. And other than freezing credit, is there any other uh tips that you might have for uh for students or or the uh schools for for what um they should do for you know going forward here?

[00:09:03]>> Yeah, several things. One I would say definitely is enforce a strict password policy. Uh make sure that people do not use the same password on uh you know on on platforms. uh every every website everyone should be unique and if they need to have a you know use a password manager program that can help create them you know you don't have to remember it just put it all in the app and let them do it if they don't do that I understand there's some people that are technology challenged um have a separate notebook make sure that you keep physical access for that and that um you know you have the website username which is usually the the email address, the password, and a comment section that would have maybe notes or the date that it was changed, leave some space there so that you can change it periodically as needed. Um, other things I think they should do too, and um is uh if they can set up the multifactor authentication.

[00:10:06]Um, it's a pain. We realize that, but if it's harder for you to log in, it's also harder for a hacker to get in using your credentials. Um in this case obviously the uh the organization in structure that owns canvas had been hacked. So the platform itself was hacked but um as long as you use different passwords and you secure yourself those are the things that uh people have to do. So using that MFA um that could be sending a text message to your phone using what's called an authenticator app which would changes a code every minute or so and it gives you a unique code so that you have that code uh on there. Um other things might be having a personal identifying number like a pin on you know certain devices or something there. Um having a USB uh uh uh key keypob uh what's that called there? uh uh USB device that you plug in that secures your device on there as well. Be very cautious of any fishing scams. Um make sure that you get correspondence from their institution, from the schools themselves. I would also look at social media. Their official social media platforms will hopefully have a few updates on there.

[00:11:22]Their official websites should have updates, too. Hopefully they might have identified a separate page um where they've got updates planned for it where they're posting those updates so people you know the students and teachers and other members of the faculty and that can go to it check it out um get the updates from there. So just make sure of that if they are getting an email verify the email sender. Um hopefully they had that sender in their email address contact list in their address book already so that when it pops up it shows up as them. Um just verify that it is from the actual institution and from who they're expecting it from. Talk with their friends and colleagues and even maybe even teachers and everything else too if need be. I think um the organizations are getting it and that's what the um the Canvas platform is telling them is contact their organizations. They're gradually uh filtering that information out to the the teachers and to the students and everybody.