Canvas security breach: What you need to know and how to protect yourself
Nadeem Azhar, author and a managed security service provider, said the breach was carried out by a hacking group known as the Shiny Hunters, a decentralized, worldwide group that most cybersecurity professionals believe is U.S.-based.
"It's not very often that I hear that a certain group that is within the US is attacking US companies," Azhar said. "That's, you know, usually that's not how it works."
Azhar said the group originally focused on infrastructure targets like power plants before shifting its attention to software as a service, or SaaS, platforms — cloud-based systems like Canvas, Salesforce, and Microsoft 365.
What makes the breach particularly alarming, Azhar said, is that the Shiny Hunters did not use advanced techniques to get in.
"This group is really not known for its sophistication. They don't have high-end top experts to break into systems. They just use the well-known vulnerabilities," Azhar said. "We know so much about this group, and yet something so core that was so close to the future of not just our country, but the world got impacted by this group, using non-sophisticated methods, which is just mind-blowing."
Canvas is owned by Instructure, a private equity group. Azhar said the education sector has historically not received the same level of security attention as other industries.
"This incident is probably going to trigger some more stuff happening down the line to make sure that companies that are close to working with students, really the future of the nation, they have better protections in place, at least fix the known vulnerabilities," Azhar said.
Instructure announced it reached an agreement with the hackers, who agreed to digitally shred the stolen data. Azhar said he is skeptical.
"When somebody says we're going to shred digital information, I don't know about that," Azhar said.
Instructure also said it found and revoked access used by the hackers, but Azhar said that may not be enough.
"That could just be an account that these guys set up for themselves. They revoked that, but we don't know if the original vulnerability was fixed. We don't know if there are any other back doors that these people left," Azhar said.
If the company paid a ransom and used decryption keys provided by the hackers to restore data, Azhar said the risk is even greater.
"The probability is very high that there's a backdoor in that system," Azhar said.
What you can do right now
Azhar offered several steps anyone with a Canvas account — or any online account — should take immediately.
Use unique passwords across every platform. Azhar said recycling passwords is one of the most common and dangerous habits people have online. He recommends using a password manager to generate and store truly random passwords.
"Recycling is great, but not when it comes to passwords," Azhar said.
Enable multi-factor authentication — but not via text message
Azhar said more than 40% of Microsoft 365 users still do not use multi-factor authentication, or MFA, despite years of the company pushing the feature. He also warned that receiving MFA codes by text message is not secure.
"Text messages are considered compromised. They're not secure," Azhar said. "If you want to use multi-factor authentication, everybody would recommend using an authentication app. That is a secure way to get that second-factor code."
Freeze your credit and set up credit monitoring
Azhar said anyone who had a Canvas account should take steps to protect their financial identity, because stolen personal data can be used long after a breach to open fraudulent accounts or take over identities.
"Freeze your credit as it is and then get monitoring in place, so that way if something happens, you'll get ahead of the problem," Azhar said.
Patch your devices
Azhar said keeping computers, phones, and tablets fully updated with the latest software patches is one of the simplest and most overlooked protections available.
"Whether it's from Microsoft, whether it's from Apple, whether it's from Google, whatever it is, these companies give you these patches. All you have to do is apply them," Azhar said.
Pause when something feels urgent
Azhar said scammers — whether through email, phone calls, or even AI-generated voices mimicking family members — almost always create a false sense of urgency to pressure people into acting before they think.
"When something appears to be urgent, you need to pause and step back, take another look," Azhar said.
He added that AI voice technology has made phone scams more convincing than ever.
"Don't think that it's a person on a phone call. It could be an AI talking on that phone call that sounds like your son, like your daughter, like your wife, because all they need is a sample sound to mimic that voice," Azhar said. His books on cybersecurity are available at NadeemAzhar.com and on Amazon.
This story was reported on-air by a journalist and has been converted to this platform with the assistance of AI. Our editorial team verifies all reporting on all platforms for fairness and accuracy
Stay in Touch with Us Anytime, Anywhere:
