Skip to content
.ca
sign in
4 mincritical

Canvas Attackers Compromise 275M Students, Teachers, and Staff

The threat group ShinyHunters compromised Instructure's Canvas learning management system, likely via voice phishing (vishing) targeting their interconnected Salesforce environment. The breach resulted in the theft of 3.65 TB of sensitive data affecting 275 million users, which the actors are now leveraging in an active extortion campaign and which poses a severe downstream phishing risk.

Sens:ImmediateConf:highAnalyzed:2026-05-08Google

Authors: Stephen Kowski, Meagan Huebner

ActorsShinyHunters
RansomwareSocial EngineeringShinyHuntersInitial AccessVishingCanvasData Breach

Source:Varonis

Detection / HunterGoogle

What Happened

A cybercriminal group known as ShinyHunters breached the Canvas learning platform, stealing data from roughly 275 million students, teachers, and staff. The stolen information includes names, school emails, student IDs, and private messages. This matters because attackers can use this personal information to launch highly convincing scams and impersonation attacks against users. Anyone using Canvas should be extremely cautious with unexpected messages, avoid clicking suspicious links, and enable multi-factor authentication on their accounts.

Key Takeaways

  • Instructure's Canvas LMS was breached, exposing 3.65 TB of data affecting approximately 275 million individuals across 15,000 institutions.
  • The threat group ShinyHunters claimed responsibility and is actively attempting to extort Instructure via their dark web site.
  • The initial access vector is suspected to be social engineering, specifically voice phishing (vishing), targeting interconnected systems like Instructure's Salesforce environment.
  • Exposed data includes names, institutional emails, student IDs, and internal platform messages, significantly increasing the risk of downstream targeted phishing and impersonation.
  • The breach highlights the systemic risk of interconnected SaaS platforms and the danger of sprawling, under-monitored identities in educational environments.

Affected Systems

  • Instructure Canvas LMS
  • Instructure Salesforce environment
  • Educational institution SaaS integrations

Attack Chain

The threat actors likely gained initial access to Instructure's environment through social engineering, specifically voice phishing (vishing) directed at employees. This access allowed them to compromise interconnected systems, including Instructure's Salesforce environment. From there, the attackers moved laterally to access the core Canvas platform, exfiltrating 3.65 TB of sensitive user data and internal communications. Finally, the group posted the stolen data on their dark web extortion site, demanding a ransom to prevent its public release.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: None — The breach occurred entirely within SaaS environments (Canvas, Salesforce) rather than on traditional endpoints where EDR is deployed. Network Visibility: Low — Traffic to legitimate SaaS providers is encrypted HTTPS; malicious administrative activity is difficult to distinguish from normal traffic without deep API inspection or CASB integration. Detection Difficulty: Hard — Social engineering and vishing bypass traditional technical controls, relying on compromised valid accounts to access cloud resources legitimately.

Required Log Sources

  • SaaS Audit Logs
  • Salesforce Login History
  • Identity Provider (IdP) Logs
  • CASB Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous login locations, times, or impossible travel in Identity Provider logs for users with access to sensitive SaaS administrative consoles.Identity Provider (IdP) LogsInitial AccessMedium
Monitor for massive data export operations, report generation, or API read spikes from unusual IP addresses within Salesforce or Canvas administrative environments.SaaS Audit LogsExfiltrationLow

Control Gaps

  • Lack of robust identity verification for helpdesk/support calls (vishing defense)
  • Over-privileged inactive accounts in SaaS platforms
  • Insufficient monitoring of third-party SaaS integrations

Key Behavioral Indicators

  • Anomalous volume of API calls or data exports
  • Logins from unmanaged devices to administrative portals
  • Sudden changes to application keys or tokens

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Revoke and rotate privileged credentials, tokens, and application keys.
  • Monitor for unauthorized access to Salesforce and Canvas administrative portals.
  • Increase platform monitoring for anomalous data export activities.

Infrastructure Hardening

  • Implement strict identity verification protocols for IT support and password resets to thwart vishing.
  • Deprovision inactive or under-monitored identities across all SaaS platforms.
  • Audit and restrict third-party integrations and connected services (e.g., Salesforce to Canvas).

User Protection

  • Enforce Multi-Factor Authentication (MFA) for all users, prioritizing phishing-resistant MFA for administrators.
  • Educate users to navigate directly to official portals rather than clicking links in unexpected messages.

Security Awareness

  • Conduct training on voice phishing (vishing) and social engineering tactics.
  • Warn students, faculty, and staff about highly targeted phishing and impersonation campaigns leveraging stolen Canvas data.

MITRE ATT&CK Mapping

  • T1566.004 - Phishing: Voice
  • T1078.004 - Valid Accounts: Cloud Accounts
  • T1538 - Cloud Service Dashboard
  • T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage

Related