ShinyHunters Breach of Instructure Canvas LMS 📚✏️: Lessons for SOCs on Third-Party Vendor Risks

Show Notes

In this episode of the #SOCBrief, we break down the ShinyHunters breach of Instructure’s Canvas LMS and what it means for security teams everywhere. 

From exploiting a lesser-monitored service to exfiltrating millions of records, this attack highlights the growing risk of third-party vendors and supply chain exposure. We walk through how the breach unfolded, key indicators of compromise, and the practical steps SOC teams can take to detect, monitor, and reduce vendor-related risk before it becomes a crisis.

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

Transcript

SPEAKER_00 0:03

Good morning, good afternoon, or good evening, whenever you may be, and welcome to another episode of the SOC Brief. This is your go-to podcast for staying ahead of the ever-evolving world of cybersecurity threats. I'm your host, Andrew, and today we're going to discuss the major breach that everyone's talking about right now. And that is the Shiny Hunter's Attack on Instructure. That's the company behind the widely used Canvas Learning Management System. We'll discuss the attack itself, how it unfolded, what it means for other organizations, and the practical steps your SOC can take to help protect against similar attacks or identify when third-party vendors are being targeted. Instructure is a major education technology company that operates Canvas, one of the most popular learning management systems in the world. Canvas is used by thousands of schools, universities, and educational institutions globally to manage courses, assignments, and student data. Shiny Hunters is a well-known criminal group active since 2020 that specializes in stealing large volumes of sensitive data and then extorting the victim by threatening to publish it. The attack unfolded just this past April when Shiny Hunters exploited a vulnerability in Instructure's Free for Teacher service. Through that exploit, they gained access to the Canvas platform and claim to have exfiltrated 3.65 terabytes of data, affecting approximately 275 million records across 8,809 educational institutions. The stolen data includes student and staff names, email addresses, student IDs, and internal private messages between users. After the initial ransom deadline passed, Shiny Hunters escalated by defacing login portals at roughly 330 institutions and pivoting to direct school-by-school extortion, with a final deadline extended to May 12th, which is today for me. This breach is significant because of the scale and the target. Instructure serves millions of users across education, which means one compromise can expose personal information for hundreds of millions of students, teachers, and staff. For other organizations, this is a clear example of supply chain risk. Many companies rely on third-party vendors for critical services, and a breach in one vendor can ripple out to affect thousands of downstream customers. It also shows how attackers are increasingly targeting cloud-hosted platforms that hold sensitive data, using vulnerabilities in less monitored services like free or trial accounts to gain broad access. For SOCS, this incident highlights the importance of treating third-party vendors as an extension of your own attack surface. You can't always control what happens on the vendor side, but you can prepare for the fallout. SOX can do things like monitoring for signs of third-party data exfiltration or unusual activity coming from vendor integrated systems. Make sure to look for known indicators published by researchers, including specific hashes, domains, and patterns associated with the Shiny Hunter's campaigns. We can be proactive in our hunting by regularly reviewing access logs from third-party integrations and scanning for exposed credentials or leaked data related to your organization on dark web monitoring services. Integrate threat intelligence feeds that track groups like Shiny Hunters so you can get early warnings about their latest targets. The most important step really is building strong vendor risk management practices. Review your critical third-party vendors regularly and establish clear escalation paths for when a vendor discloses an incident. On the network side, segment your vendor integrations where possible so a compromise on their side doesn't automatically spread to your core systems. The bottom line here is that the Shiny Hunter's breach of instructor shows how quickly a single vendor vulnerability can expose massive amounts of sensitive data. Socks that monitor their third-party risks closely and prepare for supply chain fallout can significantly reduce the impact of these incidents. For some closing thoughts on a call to action, this Shiny Hunter's attack on an instructor is a reminder that supply chain and third-party risks are real and growing. As socks that treat vendors as part of their attack service, monitor for signs of compromise, and maintain strong communication can turn these potential disasters into manageable events. This week I challenge you guys to pick one critical third-party vendor in your environment and review their latest security status or recent incident reports. Share those findings with your team and leadership. And that's a wrap for this episode of the SOC Brief. Have questions or your own third party breach stories, hit us up on social media or via our website. Keep your eyes open, keep sharpening those skills, and we'll talk soon. As always, stay secure out there. Bye.