The Canvas breach proved that prevention is no longer enough

A recent breach of Instructure's Canvas platform by the ShinyHunters group resulted in the theft of 3.65 terabytes of data from approximately 275 million users across over 8,000 institutions. The attackers gained access through compromised "Free-For-Teacher" accounts, which they then used to escalate privileges and exfiltrate sensitive data on a large scale. Notably, the breach did not involve exotic malware or zero-day exploits, highlighting the vulnerability of even seemingly secure systems to targeted attacks¹. The incident forced Canvas offline, led to defacement of login pages at hundreds of schools, and ultimately resulted in a ransom payment. The attack's success demonstrates that prevention measures alone are no longer sufficient to protect against sophisticated threats. This matters to security practitioners because it underscores the need for robust detection and response capabilities to mitigate the impact of breaches, even when prevention fails.