The Canvas Breach: What K–12 Leaders Need To Know About Third-Party SaaS Risk

Cybercriminal group ShinyHunters has executed one of the largest educational data breaches on record, targeting Instructure, the company behind learning management system Canvas. Instructure detected unauthorized activity on April 29. On May 2, the company reported that it had “revoked privileged credentials and access tokens associated with affected systems, deployed patches to enhance system security,” rotated certain keys and increased monitoring efforts across all platforms. On May 7, a second wave of activity occurred when some users reported seeing extortion messages when logged in to…