One of the largest data breaches of the year just hit the education sector, and the criminal group behind it targets the same cloud tools millions of businesses run on every day. We’re getting into all of it, as we sit down and sync up with Rocket IT’s weekly technology update.

In this episode, you’ll hear more about:

• How ShinyHunters breached Canvas and exposed 280 million student and staff records
• The escalation tactics the group used when Instructure refused to meet their demands
• Why ShinyHunters poses a growing threat to the SaaS platforms most businesses run on
• The steps your organization can take to reduce exposure across your cloud tools

Video Transcript

One of the largest data breaches of the year just hit the education sector, and the criminal group behind it targets the same cloud tools millions of businesses run on every day. We’re getting into all of it, as we sit down and sync up with Rocket IT’s weekly technology update.

Hello everyone, I’m Chris Swinson, Technology Insider at Rocket IT, and welcome to Sync Up, your home for the latest tech news.

If you haven’t heard of Canvas, it’s one of the most widely used learning management systems in the country, helping schools manage coursework, assignments, grading, and communication between students and faculty. It’s built and operated by a company called Instructure, and right now Instructure is dealing with one of the more serious cyberattacks we’ve seen in recent memory.

Attackers recently breached Instructure’s systems and made off with approximately 280 million student and staff records tied to nearly 9,000 schools, universities, and education platforms. That’s an enormous amount of data, and it includes user records, private messages, and enrollment information. When Instructure didn’t respond to their demands, the attackers escalated. They exploited a second vulnerability to deface the Canvas login pages for roughly 330 colleges and universities, replacing standard login screens with a public extortion message warning that all stolen data would be leaked if their demands weren’t met. The message was visible for about 30 minutes before Instructure took Canvas offline entirely.

The group behind this is known as ShinyHunters, and they’ve been one of the most active cybercriminal organizations operating right now. Understanding who they are matters, because their targets go well beyond education. ShinyHunters primarily focuses on cloud-based SaaS environments, which is the category of tools that most modern businesses run on every day. We’re talking about platforms like Salesforce, Microsoft 365, Google Workspace, Slack, and Dropbox. Their typical approach involves breaching third party integrations and using stolen authentication tokens to move laterally into connected systems, often without ever needing a traditional password.

They’ve also been linked to attacks on companies like Google, Cisco, and Match Group, and they’re known to conduct voice phishing attacks where they impersonate IT support staff to trick employees into handing over credentials and MFA codes.

So what does this mean for your business? A few things are worth paying attention to. First, third party integrations are one of the most common entry points attackers use, so understanding what tools are connected to your core business systems and what level of access they have is an important starting point. Second, employee awareness matters more than most people realize. ShinyHunters regularly impersonates IT support staff to trick employees into giving up credentials, which means training your team to verify those kinds of requests before acting on them can make a real difference. And third, reviewing your authentication setup across your cloud tools, making sure MFA is enabled and that access controls are configured correctly, goes a long way toward limiting the damage even if credentials do get compromised.

The Instructure breach is a reminder that when attackers don’t get what they want, they don’t walk away. They escalate. If you want to make sure your organization has the right protections in place for the cloud tools your team depends on, contact Rocket IT using the link in this video’s description. And to stay up to date on trending technology news, hit that subscribe button and the bell to catch us on next week’s episode of Sync Up with Rocket IT.