Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message. BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions. The second hack was to draw attention and to pressure Instructure into entering negotiations to pay a ransom following an initial breach disclosed a week before. Instructure is the developer of Canvas, a popular learning management system (LMS) used by schools and universities around the world to handle assignments and coursework. On April 29, the company discovered that its network had been breached and “immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts.” A few days later, the company confirmed that data was stolen in the cyberattack, and ShinyHunters published Instructure on their data leak site, stating that they stole more than 3.6 terabytes of uncompressed data. In an attempt to coerce Instructure into paying a ransom, the threat actor hacked Instructure again on May 7 using the same vulnerability used in the initial intrusion. ShinyHunters injected malicious JavaScript exploiting XSS bugs within user-generated content features, which gave them access to authenticated admin sessions and allowed them to perform privileged actions. In an email to BleepingComputer on Sunday, Instructure confirmed that the exploited security issue affected the Free-for-Teacher environment, the free, limited version of Canvas LMS for individual educators. “The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas” - Instructure