Who?
The ShinyHunters criminal hacker group’s name is believed to be derived from the rare Shiny Pokémon video game character. The character is an aspect of the Pokémon video game franchise where Pokémon appear in an alternate color scheme and produce a special sparkle animation when entering battle. Players who try to collect the scarce Shiny Pokémon through in-game strategies are often referred to as “shiny hunters.”
Ransomware.live, a free and independent website, continuously updates its threat intelligence platform and tracks ransomware groups and their victims. Their statistics on ShinyHunter’s nefarious activities identify staggering statistics. Starting in 2020, ShinyHunters successfully compromised 104 victims across 14 countries and stole trillions of records. Of the 104 victims on the list, 73 are located in the United States and include some big names: Microsoft, Ticketmaster, Google, Cisco Systems, 7-Eleven, CarMax, Amtrak, McDonald’s, Disney/Hulu, Princeton, Harvard and the University of Pennsylvania. AT&T Wireless was compromised more than once as was Instructure.
The Instructure/Canvas attack represents far more than an isolated technology outage – it is a high-profile demonstration of how centralized digital ecosystems, third-party dependencies and modern extortion operations are reshaping enterprise cyber risk. While the attack primarily disrupted the education sector, the lessons emerging from the incident are directly applicable to CISOs, boards of directors, risk management leaders and executive teams across every industry.
How?
Specific technical details about how Canvas was compromised are thin. But on Instructure’s Security Incident & Update page, the company identified a vulnerability with support tickets in their Free for Teacher environment was exploited. In the wake of the attack, Canvas temporarily disabled the Free for Teacher service while they complete a full security review. Free for Teacher is a standalone, no-cost version of the Canvas LMS, allowing teachers to build interactive classes and manage students independently, even if their school does not use Canvas.
