Instructure Canvas hack update: ShinyHunters claim second hack, deface school websites

ShinyHunters apparently isn't done with edutech giant Instructure.

The now-infamous hacking and extortion collective known as ShinyHunters has once again breached Instructure, the education technology company best known for its popular Learning Management System (LMS) application Canvas. ShinyHunters originally breached Instructure's systems just over a week ago, stealing data connected with nearly 9,000 schools worldwide.

According to a report from TechCrunch, this week, ShinyHunters hackers defaced Canvas login pages for several schools that use the coursework and messaging platform.

TechCrunch says that it saw at least three school login pages compromised with a message via an injected HTML file from ShinyHunters threatening to publicly release stolen data on May 12 unless Instructure agrees to “negotiate a settlement."

Instructure confirmed that it had been breached by the same bad actors responsible for the previously reported breach into the company. This marks a second breach into Instructure, though into a different part of its infrastructure this time.

Mashable 101 Fan Fave: Vote for your favorite creators today

Instructure took Canvas offline temporarily while it investigated the second breach. The company says that it found that the hackers "exploited an issue related to our Free-For-Teacher accounts." The company has since temporarily shut down these accounts and restored Canvas access for its users.

Earlier this month, ShinyHunters claimed responsibility for a breach that Instructure later confirmed. According to ShinyHunters, the stolen data linked to the original breach is associated with 275 million Instructure users and affects 8,809 schools worldwide. The stolen data belongs to students, teachers, and school staff who use Instructure's products and contains users' names, email addresses, student IDs, and private messages exchanged on the Canvas platform.

The request from ShinyHunters to "negotiate a settlement" has become par the course for the group, which actively seeks to profit from its excursions.

Over the past year, ShinyHunters have claimed responsibility for data breaches at companies such as Panera Bread, Crunchyroll, Bumble, ADT, and Rockstar Games, among others.