Hackers Steal Student Data in Major Breach at Education Tech Giant Instructure

The education technology sector has been rocked by a significant security incident. Instructure, the company behind the widely used Canvas learning management system, has confirmed a data breach that exposed sensitive student information. The notorious hacking group ShinyHunters has taken credit for the attack, claiming to have accessed a trove of personal data.

What Was Stolen in the Instructure Data Breach?

According to the company’s official statement, the breach affected students’ private details. The hackers allegedly obtained names, personal email addresses, and messages exchanged between teachers and students. This matches the type of data Instructure admitted was compromised.

ShinyHunters shared a sample of the stolen information with TechCrunch, including records from two U.S. schools—one in Massachusetts and one in Tennessee. The Massachusetts data contained messages with names, email addresses, and some phone numbers. The Tennessee sample included full names and email addresses. Notably, passwords were not part of the leaked data, and Instructure confirmed that other sensitive data types remained unaffected.

ShinyHunters: The Group Behind the Attack

ShinyHunters has a track record of targeting universities and cloud database companies. This gang is financially motivated and often threatens to publish stolen data unless a ransom is paid. On its leak site, the group claimed the breach impacted nearly 9,000 schools worldwide and exposed data on 275 million individuals, including students, teachers, and staff. In an online chat, a ShinyHunters member told TechCrunch that the stolen data contained 231 million unique email addresses.

However, experts caution that such groups often exaggerate their claims to attract media attention and pressure victims. TechCrunch could not independently verify the full scope of the breach.

Impact on Schools and the Canvas Platform

Instructure’s Canvas platform is a cornerstone for many educational institutions, enabling course management, assignments, and communication. The breach raises serious concerns about the security of student data on such platforms. Schools using Canvas should review their security protocols and consider tips for protecting student information.

ShinyHunters also released a list of approximately 8,800 schools allegedly affected. While Instructure claims over 8,000 institutional customers, TechCrunch could not confirm whether all listed schools were affected or were even Instructure clients. The company’s spokesperson, Kate Holmes, declined to answer specific questions and directed inquiries to the company’s official update page.

Restoration Efforts and Ongoing Investigation

As of Tuesday, Instructure reported that some products, including Canvas, were restored for customers after undergoing maintenance. The company is continuing to investigate the breach and update its response. For those seeking more information, Instructure’s cybersecurity best practices for schools guide offers additional guidance.

This incident underscores the growing threat of cyberattacks on educational institutions. Schools must remain vigilant and implement robust security measures to safeguard sensitive data.

ZionSiphon Malware: A New Cyber Threat to Water Treatment and Desalination Plants

Security researchers have uncovered a new strain of malware, dubbed ZionSiphon, that specifically targets water treatment and desalination infrastructure. Discovered by Darktrace, this malicious software combines traditional endpoint hacking techniques with capabilities designed to interfere with industrial control systems (ICS). The discovery signals a worrying trend in cyberattacks aimed at critical infrastructure.

This ZionSiphon malware water infrastructure threat is not just another piece of code—it’s a sophisticated tool that could potentially disrupt essential services. In this article, we break down how it works, what it targets, and why it matters for global cybersecurity.

How ZionSiphon Malware Targets Water Systems

The malware includes hardcoded references to specific infrastructure components, such as desalination plants and wastewater systems. It also checks for software linked to reverse osmosis and chlorine control. This targeting logic ensures that the malware only activates under precise geographic and environmental conditions.

For example, the code restricts execution to IP ranges associated with Israel. It also embeds politically charged messages, hinting at the motivations behind the campaign. However, these strings do not affect execution—they simply provide context for the attackers’ intent.

Sabotage Functions and ICS Network Scanning

Once deployed in a qualifying environment, ZionSiphon attempts to manipulate local configuration files tied to industrial processes. It appends predefined values related to chlorine dosing and system pressure. If successful, this could disrupt water treatment operations, leading to unsafe water quality or system failures.

In addition, the malware includes a network discovery routine that scans local subnets for ICS devices. It probes common industrial protocols, including Modbus, DNP3, and S7comm. Darktrace observed that the Modbus-related functionality is the most developed, allowing the malware to read and potentially modify register values. However, implementations for DNP3 and S7comm appear incomplete, suggesting partial development or testing stages.

Key Capabilities of the Water Infrastructure Malware

ZionSiphon exhibits several notable features designed to compromise water infrastructure:

• Subnet-wide scanning for ICS devices using common OT protocols
• Attempts to modify chlorine dosing and pressure parameters
• Propagation via removable media using disguised executables
• Persistence through registry modifications and hidden file placement

Despite these capabilities, the analyzed sample contains a flaw in its country validation logic. This error prevents the malware from correctly identifying intended targets. As a result, it may fail to activate its payload and instead trigger a self-deletion routine.

Indicators of Early-Stage OT Malware Development

The incomplete elements within ZionSiphon point to a tool still under development or not fully operational at the time of analysis. Errors in execution logic and partially implemented protocol support limit its immediate effectiveness. Even so, the structure of the malware reflects a growing interest among threat actors in developing tools capable of interacting directly with industrial processes.

Its combination of IT-based infection methods and OT-specific targeting illustrates an evolving approach to critical infrastructure attacks. While this version may not pose an immediate operational threat, it demonstrates how adversaries are experimenting with techniques that could, in more mature forms, disrupt physical systems and essential services.

For more on OT security, check out our article on OT cyber threats and learn how to protect your industrial control systems.

What This Means for Water Sector Cybersecurity

This discovery underscores the urgent need for enhanced cybersecurity measures in the water sector. As malware like ZionSiphon evolves, utilities must prioritize network segmentation, regular patching, and employee training to mitigate risks. Collaboration between government agencies and private companies is also crucial to share threat intelligence and develop robust defenses.

In conclusion, while ZionSiphon may be an early-stage threat, it serves as a stark reminder that critical infrastructure remains a prime target for cyberattacks. Staying vigilant and proactive is the best defense against such emerging dangers.

Kaspersky Uncovers Chinese Hackers’ Backdoor in Daemon Tools: A Widespread Supply Chain Attack

Security researchers at Kaspersky have identified a malicious backdoor embedded in the popular Windows disc imaging software, Daemon Tools. This discovery marks a significant supply chain attack that compromises thousands of computers globally.

According to a Tuesday report from the Russian cybersecurity firm, data collected from systems running Kaspersky’s antivirus software reveals a “widespread” campaign targeting Windows machines that use Daemon Tools. The hackers, linked to a Chinese-language speaking group based on malware analysis, exploited this backdoor to infiltrate a dozen high-value targets.

How the Chinese Hackers Backdoor Daemon Tools Works

Kaspersky’s investigation shows that the backdoor was first detected on April 8. The attackers used it to deploy additional malware on computers in the retail, scientific, and manufacturing sectors, as well as government systems. This selective targeting suggests a “targeted” effort, with victims located in Russia, Belarus, and Thailand.

The company noted that the supply chain attack remains “still active,” meaning the hackers can continue to plant malware on any system running the compromised software. This is a classic example of a supply chain attack, where malicious code is injected into legitimate software updates, affecting all users who download them.

The Mechanics of the Daemon Tools Backdoor

When TechCrunch downloaded the Windows installer from Daemon Tools’ official website, a check with the online malware scanner VirusTotal confirmed the presence of the backdoor. It remains unclear whether the macOS version of Daemon Tools or other Disc Soft applications are affected.

Kaspersky contacted Disc Soft, the company behind Daemon Tools, but did not disclose whether the developer responded or took immediate action. The ongoing nature of the attack raises concerns about the security of software supply chains.

Why This Supply Chain Attack Matters

This incident is part of a growing trend of supply chain attacks targeting popular software. Earlier this year, Chinese government-associated hackers hijacked the text editing software Notepad++ to deliver malware. Similarly, security researchers warned of an attack on CPUID, maker of HWMonitor and CPU-Z tools.

Supply chain attacks are particularly dangerous because they allow hackers to compromise a large number of systems at once by inserting malicious code into trusted software updates. This approach exploits the trust users place in legitimate applications, making it harder to detect.

For more insights on protecting your systems, read our guide on how to prevent supply chain attacks.

Response from Daemon Tools Developer Disc Soft

When contacted for comment, a Disc Soft representative stated they are “aware of the report and are currently investigating the situation.” The representative added, “Our team is treating this matter with the highest priority and is actively working to assess and address the issue. At this stage, we are not in a position to confirm specific details referenced in the report. However, we are taking all necessary steps to remediate any potential risks and to ensure the security of our users.”

This response indicates that Disc Soft is taking the threat seriously, but users should remain cautious. As the investigation unfolds, it is crucial for organizations using Daemon Tools to monitor for unusual activity and apply any security patches promptly.

What Users Should Do Now

If you use Daemon Tools on Windows, consider temporarily uninstalling the software until Disc Soft releases a clean update. Run a full antivirus scan with a reputable solution like Kaspersky or Malwarebytes to check for infections. Additionally, review your system for any signs of compromise, such as unexpected network traffic or new processes.

Building on this, organizations in the affected sectors should conduct a thorough security audit. Implementing strict software update policies and using endpoint detection tools can help mitigate risks. For further reading, check our article on best practices for software supply chain security.

Finally, stay informed about the latest cybersecurity threats. Following trusted security blogs and subscribing to threat intelligence feeds can provide early warnings. As this story develops, we will update with more details from Kaspersky and Disc Soft.