Back to Intelligence

Canvas LMS Data Extortion: ShinyHunters Incident Analysis and Detection Strategies

SA
Security Arsenal Team
May 14, 2026
6 min read

Introduction

Instructure, the parent company of the widely used Canvas Learning Management System (LMS), recently confirmed reaching an agreement with the cybercriminal group ShinyHunters. This follows claims by the threat actor that they had successfully exfiltrated sensitive data from the platform. While the specifics of the "encryption-based" incident described in early reports point towards a data extortion operation—where criminals threaten to release data rather than locking systems—the implications for educational institutions and corporate training environments are severe.

For security practitioners, this incident is a wake-up call. SaaS platforms like Canvas are prime targets for threat actors seeking to monetize Personally Identifiable Information (PII) and intellectual property. Defenders must move beyond simple compliance checks and actively hunt for signs of unauthorized API access and data scraping within their LMS environments.

Technical Analysis

Affected Platforms:

  • Product: Canvas LMS (Cloud-hosted and self-hosted instances).
  • Threat Actor: ShinyHunters (Known for high-profile database breaches and initial access brokerage).

Attack Vector & Mechanics: While a specific CVE was not cited in the initial disclosure regarding the "agreement," ShinyHunters typically gains access through:

  1. Credential Stuffing/Compromise: Leveraging leaked credentials to access user or administrator accounts.
  2. API Abuse: Exploiting overly permissive API keys or misconfigured integrations to bulk-export user data, grades, and course content.
  3. Web Application Vulnerabilities: Potential exploitation of unpatched endpoints in self-hosted versions leading to database access.

The "Encryption-Based" Component: The mention of an "encryption-based" incident often correlates with either the ransomware of on-premise databases or, more likely in this context, the extortion mechanism where the attackers encrypt the stolen data and hold the decryption key hostage to prevent leakage (pure extortion). The primary risk here is Data Exfiltration.

Exploitation Status:

  • Confirmed Active Exploitation: Yes. ShinyHunters has publicly claimed possession of the data, and Instructure's agreement confirms the validity of the threat.
  • CISA KEV: Not currently listed as a specific CVE exploitation, but the threat actor activity is active.

Detection & Response

Detecting data extortion threats in SaaS platforms requires focusing on anomalous data access patterns rather than just malware signatures. Defenders should hunt for massive export jobs, unusual API usage, and logins from impossible travel locations.

SIGMA Rules

YAML
---
title: Potential Canvas LMS Data Scraping via API
id: 8f2c3d1e-4b5a-6c7d-8e9f-0a1b2c3d4e5f
status: experimental
description: Detects potential bulk data exfiltration from Canvas LMS by identifying high-frequency GET requests to API endpoints commonly used for exporting user or course data.
references:
  - https://community.canvaslms.com/t5/Canvas-Admin-Guide/How-do-I-view-API-tokens-in-the-user-details-page/ta-p/253
author: Security Arsenal
date: 2025/01/15
tags:
  - attack.exfiltration
  - attack.t1567.002
logsource:
  category: webserver
  product: canvas
detection:
  selection:
    c-uri|contains:
      - '/api/v1/users/'
      - '/api/v1/courses/'
      - '/api/v1/accounts/'
    cs-method: GET
  timeframe: 5m
  condition: selection | count() > 100
falsepositives:
  - Legitimate administrative bulk exports during semester start/end
level: high
---
title: Canvas Access via Non-Browser User Agent
id: 9a3d4e2f-5c6b-7d8e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects access to Canvas LMS endpoints using automation tools (Python-requests, curl, wget) which may indicate scripted data scraping by threat actors like ShinyHunters.
references:
  - https://attack.mitre.org/techniques/T1071/001
author: Security Arsenal
date: 2025/01/15
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: proxy
  product: any
detection:
  selection_target:
    cs-host|contains:
      - 'instructure.com'
      - 'canvas.instructure.com'
      - '.canvaslms.com'
  selection_ua:
    cs-user-agent|contains:
      - 'python-requests'
      - 'curl/'
      - 'wget/'
      - 'libwww-perl'
  condition: all of selection_*
falsepositives:
  - Legitimate custom integrations using API tokens (filter by known IP ranges)
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt queries SigninLogs (if using Azure AD/Entra ID for Canvas auth) and proxies for anomalous access patterns.

KQL — Microsoft Sentinel / Defender
// Hunt for anomalous volume of Canvas API access or risky sign-ins
let CanvasApps = dynamic(["Canvas", "Instructure"]);
// Query SigninLogs for Risky Sign-ins to Canvas
SigninLogs
| where AppDisplayName in~ CanvasApps
| where RiskLevelDuringSignIn in ("high", "medium")
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location, RiskDetail, RiskLevelDuringSignIn
| union (
    // Query Proxy/CEF logs for high volume API hits
    CommonSecurityLog
    | where RequestURL contains "/api/v1/"
    | where RequestURL contains_any ("users", "courses", "accounts", "submissions")
    | summarize count() by SourceUserID, DestinationIP, bin(TimeGenerated, 5m)
    | where count_ > 50 // Threshold for suspicious bulk activity
    | project TimeGenerated, SourceUserID, DestinationIP, count_
)
| order by TimeGenerated desc

Velociraptor VQL

Endpoint hunt to detect if a workstation is running scripts or tools that interact with Canvas, potentially indicating automated scraping or credential theft.

VQL — Velociraptor
-- Hunt for processes communicating with Canvas domains or common scraping tools
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'python.exe'
   OR Name =~ 'python3.exe'
   OR Name =~ 'curl.exe'
   OR Name =~ 'wget.exe'
   OR Name =~ 'powershell.exe'

// JOIN with network connections to filter for Canvas traffic
LET CanvasProcesses = SELECT Pid FROM pslist() WHERE Name =~ 'python.exe' OR Name =~ 'curl.exe' OR Name =~ 'powershell.exe'

SELECT P.Pid, P.Name, P.CommandLine, N.RemoteAddress, N.RemotePort
FROM foreach(CanvasProcesses, {
    SELECT * FROM pslist(pid=Pid) AS P
    JOIN netstat(pid=Pid) AS N ON P.Pid = N.Pid
})
WHERE N.RemoteAddress =~ 'instructure.com' 
   OR N.RemoteAddress =~ 'canvaslms.com'

Remediation Script (PowerShell)

Use this script to audit local workstations for potential data staging artifacts (CSV/JSON dumps) often left behind during data scraping operations.

PowerShell
<#
.SYNOPSIS
    Audit Script for Canvas Data Scraping Artifacts
.DESCRIPTION
    Searches User Profiles for bulk-exported Canvas data (CSV/JSON) which may indicate a breach.
#>

$UserProfiles = Get-ChildItem "C:\Users\" -Directory
$SuspiciousExtensions = @("*.csv", "*.", "*.xlsx")
$CanvasKeywords = @("canvas", "instructure", "gradebook", "student_data", "course_export")

Write-Host "[+] Starting Canvas Artifact Audit..." -ForegroundColor Cyan

foreach ($Profile in $UserProfiles) {
    $Path = $Profile.FullName
    # Check common temp and download directories
    $TargetDirs = @(
        "$Path\Downloads",
        "$Path\Desktop",
        "$Path\AppData\Local\Temp"
    )

    foreach ($Dir in $TargetDirs) {
        if (Test-Path $Dir) {
            Write-Host "    Scanning $Dir..." -ForegroundColor Gray
            Get-ChildItem -Path $Dir -Recurse -Include $SuspiciousExtensions -ErrorAction SilentlyContinue | 
            Where-Object { 
                $_.Length -gt 1MB -and 
                (Select-String -Path $_.FullName -Pattern $CanvasKeywords -Quiet -ErrorAction SilentlyContinue)
            } | 
            Select-Object FullName, LastWriteTime, Length, @{Name='Owner';Expression={$Profile.Name}}
        }
    }
}

Write-Host "[+] Audit Complete. Review the output for suspicious bulk exports." -ForegroundColor Green

Remediation

  1. Immediate Access Audit: Review Canvas "Admin Logs" and "API Access Logs" immediately. Look for any user or API token that has generated unusually high numbers of page views or API calls in the last 30 days.
  2. Credential Reset: Force a password reset for all administrative and privileged instructor accounts that showed signs of anomalous activity. Revoke all inactive API keys.
  3. MFA Enforcement: Ensure Multi-Factor Authentication (MFA) is strictly enforced for all admin and staff roles. Instructure supports standard MFA protocols; verify integration with your IdP (e.g., Okta, Entra ID).
  4. Network Restriction: If self-hosted, restrict database and admin panel access to known management IP subnets via firewall rules. For cloud instances, use IP Allow Lists in the admin settings.
  5. Integration Review: Audit all third-party LTI (Learning Tools Interoperability) tools and API integrations. Revoke access for any vendor that is no longer in use.
  6. Official Guidance: Monitor the Instructure Trust Center for specific patches or configuration updates related to this incident.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfircanvasshinyhuntersdata-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action