Hackers Deface School Login Pages After Alleged Second Instructure Breach

Just days after education technology giant Instructure disclosed a major data breach, a cybercrime group appears to have struck again. This time, hackers defaced the login pages of several schools using the company’s Canvas platform, escalating their extortion campaign. The Instructure data breach initially exposed student names, personal emails, and teacher-student messages. Now, the situation has taken a more visible turn.

How the Canvas Login Defacement Unfolded

On Tuesday, TechCrunch observed that the cybercrime group ShinyHunters had altered the Canvas login pages of three separate schools. The hackers injected an HTML file that replaced the normal login screens with a threatening message. This message warned that stolen data would be published on May 12 unless Instructure agreed to a settlement.

At the time of writing, Instructure’s website appeared partially offline, sometimes returning a “too many requests” error. The Canvas portal displayed a notice about scheduled maintenance. However, this disruption was likely a direct result of the hack.

The Message Behind the Defacement

The defaced pages served as a public shaming tactic. ShinyHunters aims to pressure Instructure into paying a ransom. By compromising login pages—which students and teachers use daily—the hackers amplified their demands. This move follows the same financially motivated playbook the group has used against countless victims over the last couple of years.

Instructure’s Response to the Canvas Security Incident

Instructure spokesperson Brian Watkins confirmed to TechCrunch that the company discovered hackers had changed some customers’ login pages. “Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate,” Watkins said. The company linked the defacement to an issue with its Free-For-Teacher accounts, leading to a temporary shutdown of that service.

Watkins also stated that the same hackers responsible for the original breach were behind this second attack. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use,” he added. The company has since restored full functionality.

Escalating Pressure: How ShinyHunters Is Targeting Schools

This apparent second hack indicates that ShinyHunters is ramping up pressure on Instructure and its customers. The group originally claimed responsibility for the first breach, publicizing stolen data on its leak site to extort a payment. Now, by defacing login pages and notifying TechCrunch, the hackers hope to force a quicker capitulation.

It remains unclear how the hackers compromised the login pages. When asked, a ShinyHunters member told TechCrunch they couldn’t comment on specifics but described this as a separate breach. The original Instructure data breach allegedly affected nearly 9,000 schools worldwide, with stolen files containing information on 231 million people.

What This Means for Schools and Students

For schools using Canvas, this incident highlights the risks of relying on third-party platforms for sensitive data. Administrators should review their security protocols and consider additional safeguards. Schools can take proactive steps to protect student information, such as enabling multi-factor authentication and monitoring login activity.

Building on this, parents and students should remain vigilant. If you suspect your data was compromised, change passwords immediately and monitor for phishing attempts. Learn how to respond to a data breach effectively.

The Bigger Picture: Education Tech Under Siege

ShinyHunters has compromised countless victims over the last couple of years, following the same financially motivated playbook: hack, publicize, and extort. This Instructure data breach is part of a broader trend targeting education technology. As schools increasingly rely on digital platforms, they become attractive targets for cybercriminals seeking large datasets.

Therefore, the education sector must invest in stronger cybersecurity measures. Educators can adopt simple strategies to reduce risk, including regular security audits and employee training. The question remains: will Instructure negotiate, or will the hackers follow through on their threat to release data?

For now, the company has restored Canvas access, but the breach underscores the ongoing vulnerability of educational systems. Students and teachers alike should stay informed and take precautions.

How macOS Native Tools Are Being Repurposed for Stealthy Enterprise Attacks

Attackers are increasingly turning to macOS native tools to infiltrate enterprise environments, according to new research from Cisco Talos. The study, published on April 21, reveals how built-in macOS features—such as Remote Application Scripting (RAS) and Spotlight metadata—are being weaponized for code execution, lateral movement, and evasion. This shift marks a significant evolution in enterprise attacks, as more than 45% of organizations now deploy Macs in their networks.

Macs are particularly popular among developers and DevOps professionals, who often store sensitive credentials, cloud access keys, and source code on their machines. However, macOS-focused attack techniques remain less documented than those targeting Windows, leaving security teams with blind spots. The Cisco Talos research highlights how adversaries exploit legitimate system binaries and protocols—a tactic known as living-off-the-land (LOTL)—to bypass traditional defenses.

How Attackers Abuse macOS Native Tools for Execution

Remote Application Scripting (RAS), a feature designed for administrative automation, is one of the primary tools being exploited. By leveraging Apple’s inter-process communication (IPC) framework, attackers can execute commands on remote systems without triggering shell-based monitoring. This allows them to issue instructions stealthily, avoiding detection by conventional endpoint security tools.

In some cases, adversaries bypass built-in restrictions by using Terminal as a proxy. They encode payloads in Base64 and deploy them in stages, enabling complex scripts to run while evading standard command-line activity alerts. Other techniques include executing AppleScript over SSH to interact with the graphical user interface, or using tools like socat to establish remote shells without relying on SSH logging or authentication trails.

Security teams face additional challenges because actions performed through Apple Events or IPC often fall outside traditional endpoint detection rules. As a result, these LOTL techniques can go unnoticed for extended periods.

Covert Data Movement and Persistence Using Spotlight

Attackers are also using unconventional methods to transfer and store payloads. One notable approach involves embedding malicious code in Finder comments, which are stored as Spotlight metadata rather than in file contents. This technique allows payloads to evade static analysis tools that scan files for malicious code. The data can later be extracted, decoded, and executed with a single command.

Beyond Spotlight, the research highlights multiple native protocols used for lateral movement and file transfer:

• Server Message Block (SMB) for mounting remote shares
• Netcat for direct command execution and file delivery
• Git repositories for pushing payloads to target systems
• Trivial File Transfer Protocol (TFTP) and Simple Network Management Protocol (SNMP) for covert data exchange

Because these methods rely on legitimate services, they often bypass network monitoring focused on SSH or known malicious traffic patterns. This makes them particularly dangerous for enterprise attacks, where stealth is paramount.

Defending Against macOS-Based LOTL Attacks

To counter these threats, Cisco Talos recommends shifting detection strategies toward process lineage analysis. Monitoring unusual metadata activity and restricting administrative services through mobile device management (MDM) policies can also help. Additionally, disabling unnecessary services and enforcing stricter controls over inter-application communication can reduce the attack surface.

Security teams should also consider implementing endpoint detection solutions tailored for macOS to improve visibility into native tool usage. For more insights on protecting your enterprise, check out our guide on macOS security best practices.

As macOS continues to gain traction in enterprise environments, understanding how macOS native tools can be abused is critical. By staying informed and adopting proactive defenses, organizations can mitigate the risks posed by these stealthy LOTL techniques.

Former L3Harris executive ordered to pay $10 million for selling classified hacking tools to Russian broker

A former high-ranking executive at a major US defense contractor has been ordered to pay $10 million in restitution after pleading guilty to selling advanced hacking tools to a Russian broker. Peter Williams, once the general manager of L3Harris’s Trenchant division, was sentenced for stealing trade secrets and selling hacking tools that could have compromised millions of devices worldwide.

The $10 million restitution order and its implications

On Wednesday, a federal judge ordered Williams to pay $10 million to his former employer, L3Harris. This amount comes on top of $1.3 million he had already been ordered to pay. The case, first reported by veteran cybersecurity journalist Kim Zetter, underscores the severe consequences of insider threats in the defense sector.

Williams, a 39-year-old Australian citizen and former intelligence agency employee, admitted to stealing seven trade secrets—likely cyber exploits and surveillance technology—from Trenchant. He then sold this sensitive material to Operation Zero, a Russian firm that acts as a broker for hacking tools and works exclusively with the Russian government and local companies.

How the theft unfolded: Inside the Trenchant division

Trenchant, formed from the acquisition of two sister startups, is L3Harris’s division specializing in advanced spyware and hacking tools. It sells these capabilities to the US government and its Five Eyes intelligence alliance partners—Australia, Canada, New Zealand, and the United Kingdom.

Williams exploited his privileged full access to Trenchant’s internal network to siphon out the tools. He made $1.3 million from the sale, spending the proceeds on luxury watches, a house near Washington, D.C., and family vacations. Trenchant reported losses of up to $35 million due to his theft.

Russian and Chinese cybercriminals used the stolen tools

US prosecutors stated that Williams betrayed the United States and its allies by providing Operation Zero—described as one of the world’s most nefarious exploit brokers—with tools that could hack millions of computers. According to former L3Harris employees, some of these stolen hacking tools were later used by Russian government spies in Ukraine and Chinese cybercriminals.

Google’s cybersecurity research identified the stolen code in cyberattacks, confirming the tools’ deployment. Williams even attempted to frame one of his employees for the theft, adding another layer of deceit to his crimes.

Sentencing and legal consequences

Williams pleaded guilty and received a prison sentence of more than seven years. The $10 million restitution order aims to compensate L3Harris for its losses. His lawyers did not respond to requests for comment.

This case serves as a stark reminder of the risks posed by insider threats in the defense industry. For more on cybersecurity risks, read about insider threat prevention strategies. Additionally, explore how government cybersecurity measures are evolving to counter such espionage.

Building on this, companies must strengthen their internal security protocols to prevent similar breaches. As a result, the defense sector is now reviewing access controls and monitoring systems more rigorously.