The data breach at education tech giant Instructure includes students’ private data, according to a sample of the allegedly stolen data seen by TechCrunch.
Lorenzo Franceschi-Bicchierai
Education tech giant Instructure has confirmed a data breach affecting students’ private information. The hacking and extortion gang ShinyHunters claimed responsibility for the breach.
The hackers claim to have stolen students’ names, their personal email addresses, and messages sent between teachers and students — the same type of data Instructure admitted was stolen.
Instructure is the latest corporate giant hacked by the ShinyHunters gang. The cybercriminals have targeted universities and cloud database companies in recent months, in efforts to steal vast amounts of people’s personal information and threaten to post the data online if the companies do not pay the hackers’ ransom.
A member of ShinyHunters shared a sample of the stolen data with TechCrunch, which included data from two schools in the United States, one in Massachusetts and one in Tennessee. In the case of the one in Massachusetts, the data included messages, which contain names, email addresses, and some phone numbers. As for the school in Tennessee, the sample included students’ full names and email addresses.
The sample did not contain passwords or the other types of data that Instructure said was unaffected by the breach.
TechCrunch is not naming the schools as they are not confirmed victims. Based on information that appears on their websites, both schools appear to use Instructure’s platform Canvas, which allows customers to manage coursework, assignments, and communicate with students.
ShinyHunters also shared a list of about 8,800 schools allegedly affected by the breach. TechCrunch could not confirm whether all the listed institutions were affected, nor whether they are Instructure customers. On its official site, Instructure says it has more than 8,000 institutions as customers.
When reached by TechCrunch, Instructure’s spokesperson Kate Holmes did not answer several questions about the incident, and instead referred to the company’s official page where it is publishing updates on the breach.
On its data leak site, where ShinyHunters claims responsibility for data breaches and attempts to pressure victims into paying a ransom, the hackers claim the breach affected close to 9,000 schools around the world, and 275 million people’s data, including students, teachers, and other staff. In an online chat, the ShinyHunters member told TechCrunch that the total unique emails that are included in the stolen data amount to 231 million.
Financially motivated hacking groups are known to exaggerate their claims to gather the attention of the media, as well as their victims.
As of Tuesday, Instructure said some of its products, such as Canvas, were restored for customers after undergoing maintenance.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
