If anyone is bored this weekend - and wants to help the edu sector out in the wake of the Canvas LMS attacks - take a gander at the recently implemented and forthcoming security patches in Canvas LMS and see what you might glean. Instructure - the company that was attacked - has provided scant technical details on how initial access and exfil happened - and as a result customers (schools and universities) are left unsure as to how to trust the software or what mitigations to put in place.

Instructure has said the attack was "carried out...by exploiting an issue related to our Free-For-Teacher accounts" instructure.com/incident_updat…

Precautionary UX changes made by Instructure in response community.instructure.com/en/d…

Instructure Enforcements, Deprecations, and Breaking Changes (which contain some upcoming security related changes): community.instructure.com/en/k…

May be other threads to pull; this is being actively worked on by many.

Thank you!

#edtech #Instructure #Canvas cc/ @funnymonkey @PogoWasRight

Instructure Enforcements, Deprecations, and Breaking Changes

Periodically functionality will be added, changed, or removed in Instructure products. Announcements are made in Release Notes on an ongoing basis.

^{InstContentTeam (Instructure, Inc.)}

Oh boy, this is going to put a dent in the semester...

LA Times: Massive Canvas data breach hits colleges across California and nation, crippling student work

latimes.com/california/story/2…

#canvas #cybersecurity

Data breach of Instructure Canvas by ShinyHunters hits UC, CSU, USC, Stanford, community colleges

A massive data breach of the Instructure Canvas learning system hit UC, CSU, USC, Stanford and Los Angeles community colleges, among other schools across the nation. A criminal group called ShinyHunters claimed credit for the hack.

^{Jaweed Kaleem (Los Angeles Times)}

New, from me: Canvas Breach Disrupts Schools and Colleges Nationwide

"An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions."

"Canvas parent firm Instructure responded to today's defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students."

Lots more here:

krebsonsecurity.com/2026/05/ca…

#canvas #breach #shinyhunters #instructure