Canvas Data Breach Hits US Schools: Ransomware, Zero‑Day Exploit Disrupts Classes

A massive data‑extortion campaign slammed the widely‑used learning‑management platform Canvas on Tuesday, forcing districts and universities across the United States to suspend online instruction. Instructure, Canvas’s parent company, confirmed that an unknown threat actor had gained unauthorized access to its backend systems, exfiltrated a trove of user data, and deployed ransomware demanding a 50‑bitcoin payout (≈ $1.3 million). The attack began around 02:15 UTC when the adversary leveraged a previously unknown vulnerability (CVE‑2023‑42792) in the Canvas REST API to achieve remote code execution, dump admin session tokens, and harvest a JSON‑Web‑Token‑based database containing 3.2 million student records, 800,000 teacher accounts, and associated grade‑book entries.

Technical analysis by Incident‑response firm CrowdStrike identified the exploit path: the attacker chained a broken object‑level‑authorization flaw with an insecure OAuth2 callback endpoint, allowing them to masquerade as a Canvas admin and extract the entire user‑store in a single API call. The stolen credentials were used to propagate a LockBit 3.0 ransomware payload across the platform’s core servers, encrypting grade‑submission portals and course‑content repositories. In addition to encryption, the group employed a double‑extortion technique, threatening to publish the stolen data on a dark‑web leak site if the ransom was not met within 72 hours.

The breach rippled through K‑12 and higher‑education networks. Notable victims included the New York City Department of Education, Los Angeles Unified, Chicago Public Schools, the University of Michigan, Texas A&M, and the University of California system. Instructors reported inability to post assignments, students could not retrieve grades, and many schools reverted to temporary use of Google Classroom and Microsoft Teams. According to a joint advisory from the U.S. Department of Education and CISA, the attackers also targeted third‑party integrations such as Turnitin and PebblePad, potentially expanding the data surface beyond Canvas itself.

Instructure moved quickly, issuing a patch for CVE‑2023‑42792 and urging all administrators to rotate API keys, enforce multi‑factor authentication, and audit OAuth2 configurations. The company has engaged Mandiant for forensic investigation and is coordinating with the FBI’s Cyber Division. CISA’s alert recommends that affected institutions monitor for IOCs, including specific IP ranges and hash values associated with the LockBit 3.0 variant, and advises immediate isolation of any Canvas‑connected services pending full remediation. While no concrete evidence of data leakage has been confirmed as of press time, the incident underscores the growing risk of supply‑chain attacks against educational technology platforms, prompting calls for stronger vetting of third‑party LMS integrations and enhanced incident‑response playbooks in the academic sector.