**Instructure**, the developer of **Canvas**, a widely-used learning management system (LMS), is grappling with the fallout from a recent cyberattack. The incident involved multiple cross-site scripting (XSS) vulnerabilities, enabling attackers to obtain authenticated admin sessions. **Initial Breach and Extortion Attempt** According to **Instructure**, the initial breach occurred on April 29th. The company detected unauthorized access, immediately revoked the access, launched an investigation, and brought in external forensic experts. A few days later, the stolen data was published on **ShinyHunters**' data leak site. The threat actors claimed to have stolen over 3.6 terabytes of uncompressed data. **Canvas Defacement and Extortion Message** On May 7th, **ShinyHunters** used the same vulnerability to re-enter **Instructure**'s systems and inject malicious JavaScript, exploiting the XSS bugs within user-generated content features. This gave them access to authenticated admin sessions and allowed them to perform privileged actions. The attackers then defaced **Canvas** login portals, leaving a message warning **Instructure** and schools using the platform to contact them by May 12th to negotiate a ransom. **Impact on Free-for-Teacher Accounts** **Instructure** confirmed that the exploited security issue affected the Free-for-Teacher environment, the free, limited version of **Canvas** LMS for individual educators. "The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through **Canvas**," **Instructure** stated in an incident update. **Instructure** temporarily took **Canvas** offline to prevent the malicious activity, determine the cause, and implement additional safeguards. The platform has been restored since May 9th, but Free-For-Teacher accounts remain offline until the issues are resolved.  **Data at Risk** While the defacement of **Canvas** login portals did not directly compromise data, the data exfiltrated during the initial breach likely includes usernames, email addresses, course names, enrollment information, and messages. **Scale of the Breach** **ShinyHunters** claims the breach impacts 8,809 educational organizations and that they stole 275 million records belonging to students, teachers, and other staff members.  ## [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)