What the Canvas breach means for students, schools & families

For those of you with kids, there's a good chance your school is using Canvas. This week they were breached and the fallout has been huge.

What is Canvas used for anyway? Canvas (owned by Instructure, Inc.) is one of the most widely used learning management systems (LMS's) and is used heavily to post assignments, collect homework, manage grades, share class materials, send messages, and communicate between students, teachers and staff.

What happened and why does it matter they got hacked? The ShinyHunters cyber gang were caught hiding inside Canvas on April 29th. Although they were kicked out, it wasn't before they copied all of that private data and threatened to release it unless a ransom was paid.

Things quickly escalated. By May 12th Canvas hadn't paid the ransom, so ShinyHunters started displaying ransom/extortion messages on Canvas login pages, at which point the entire system was taken offline, right during finals!

Instructure, Inc. now states that they reached an “agreement” with the attackers to have the stolen data destroyed, with news outlets reporting that the hackers were paid an undisclosed amount.

The Takeaway

Here are 5 things you need to know right now if you think that you or someone you know may have been a victim of the Canvas hack:

1. Watch for official notifications from your school or Instructure explaining whether your account or institution was affected and any changes that may have been made to your Canvas account (eg. a password reset)
   

2. Be suspicious of emails, texts, or Canvas-related messages asking you to “verify” your account, reset your password, open a shared document or pay a fee, especially if the message creates urgency. Those could be coming from a scammer.
   

3. Change your Canvas password if you reused it anywhere else and make sure every important online account has a unique password.
   

4. Turn on multi-factor authentication wherever it is available, especially for school email, personal email, banking and cloud storage accounts.
   

5. Monitor your email, school account, and financial accounts for unusual activity and report anything suspicious to your school’s IT department before clicking links or opening attachments.

Breaches like this are no fun. They disrupt classrooms, damage trust and expose private info that attackers are definitely going to use to target us with convincing scams. Even if your passwords or financial data was not exposed, you should stay alert, verify Canvas-related messages through official channels and treat any unexpected Canvas-related communication with caution.

Stay safe out there.

-Attila

New Friday Funnies!

The school phoned me today and said, "Your son's been telling lies."

I replied, "Well, tell him he's really good - I haven't got any kids!"

What did the buffalo say when he dropped his son off at school?

Bison.

What did the mermaid wear to her math class?

An algae bra.

Why did Kimo get a bad grade in photography class?

He had trouble focusing.

What do you learn in both Math and Social Studies class?

Inequalities.