Canvas breach shows why identity risk now spans every identity

At a glance

What this is: This is Delinea's analysis of the Canvas breach and the identity controls it says failed after attackers moved through human access, delegated trust, and non-human identities.

Why it matters: It matters because IAM teams need to govern what identities can do after authentication, especially where NHIs, vendor credentials, and privileged access extend the blast radius of a single compromise.

By the numbers:

• ShinyHunters stole 3.65 terabytes of student and faculty data and replaced the Canvas login page with a ransom demand.
• Canvas was trusted by more than 8,800 educational institutions worldwide.
• Delinea Labs has documented that 75% of organisations experienced a SaaS security incident in the prior 12 months.

👉 Read Delinea's analysis of the Canvas breach and identity risk

Context

The core issue is not simply that attackers got in. The real problem is that identity programmes still assume authentication is the control point, when the breach path shows access can be turned into sustained privilege after login. In this case, the relevant governance gap spans human identity, vendor trust, and non-human identities.

Delinea's account frames Canvas as a shared access layer, not a single application, which is the correct way to read the incident for identity teams. Once an attacker can register a device, reuse captured credentials, and move into service accounts or tokens, traditional perimeter thinking stops being useful.

Key questions

Q: How should security teams implement continuous authorization after login?

A: Start by treating authentication as the beginning of control, not the end. Bind access to task scope, device trust, session context, and current risk signals so a valid login does not automatically preserve broad access. The goal is to reduce what a compromised identity can do after entry, especially across SaaS, delegated access, and privileged workflows.

Q: Why do non-human identities increase breach impact in SaaS environments?

A: Because they often hold persistent permissions that human controls do not regularly revisit. Service accounts, tokens, and automation grants can provide lateral movement, data access, and operational reach long after the original account is detected. In practice, one compromised human session can become a much larger incident when NHIs are ungoverned.

Q: What do security teams get wrong about MFA in identity attacks?

A: They often assume MFA ends the problem once the code is entered. In reality, an attacker can still register devices, sustain sessions, and exploit downstream trust if post-authentication controls are weak. MFA helps, but it does not replace continuous authorization, device governance, or review of delegated access.

Q: Who is accountable when vendor credentials touch production data?

A: The organisation that owns the data remains accountable even when access is delegated to a vendor. OAuth grants, API tokens, and federated connections should be reviewed as part of the organisation's identity perimeter, not left to initial onboarding decisions. If those credentials can reach production, they need the same governance as internal privileged accounts.

Technical breakdown

Why captured SSO and MFA codes are only the entry point

The attack pattern described here begins with legitimate authentication artefacts, not exploit code. Once a phished user yields SSO credentials and MFA codes, the attacker can register a new device and inherit the user's trust context. That matters because many IAM programmes still treat MFA as the end of the story, when in practice it is only one checkpoint. Device registration, session persistence, and downstream trust decisions become the real control surface. The breach also shows how social engineering collapses the distinction between legitimate and malicious access when the environment accepts the attacker as an authenticated user.

Practical implication: Review device enrolment, session binding, and post-authentication controls as part of access governance, not as separate endpoint issues.

How non-human identities extend breach reach after initial access

Non-human identities are the operational layer that lets attackers expand access without repeatedly confronting human-facing controls. Service accounts, automation pipelines, API tokens, and delegated SaaS grants often hold broader permissions than people realise, especially when they were created for convenience and never revalidated. In a SaaS breach, these identities can provide paths to data movement, administration, and persistence even after the original account is detected. The governance failure is usually visibility first, then privilege scope. That is why NHI management has become a core identity security issue rather than a niche infrastructure concern.

Practical implication: Inventory delegated credentials and service accounts alongside human accounts, then recheck scopes that were never reviewed after onboarding.

What continuous authorization changes after login

Continuous authorization shifts identity control from a one-time allow decision to an ongoing assessment of what the actor can do. In environments like this, the attacker does not need a new exploit to keep operating. They need access that remains broadly valid after the first successful login. Continuous authorization narrows that window by tying access to current context, task scope, and runtime conditions rather than to a static session grant. For identity architects, this is the architectural answer to breaches that unfold after authentication has already succeeded.

Practical implication: Treat post-login privilege as the main control problem and align it with task-scoped access, session review, and real-time revocation.

Threat narrative

Attacker objective: The objective was to preserve authorised-looking access long enough to steal data, widen leverage, and force a ransom outcome.

1. Entry began with voice phishing and credential-harvesting sites that captured SSO credentials and MFA codes from legitimate users.
2. Escalation followed when the attacker registered their own devices for ongoing authentication and moved through the environment as an authorised user.
3. Impact came when the group exfiltrated data at scale and replaced the Canvas login page with a ransom demand, increasing leverage over the victim.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authentication is not the boundary anymore. The Canvas breach shows that identity risk now begins after the login event, not before it. Once an attacker can present valid credentials and a registered device, the control question shifts to what that identity can still reach. Practitioners should read this as a governance failure in post-authentication scope, not a failure of sign-in alone.

Standing trust in non-human identities is a hidden blast-radius multiplier. Service accounts, automation pipelines, and delegated SaaS credentials can carry privileges that human access reviews never touch. Delinea's description of attacker movement through NHIs reinforces a field-wide truth: unmanaged machine access turns one compromised human session into a broader identity incident. The practitioner conclusion is that NHI visibility is now central to breach containment.

Vendor trust should be treated as delegated privilege, not implied safety. The incident path through a SaaS ecosystem shows that OAuth grants, API tokens, and federated connections are part of the identity perimeter. Those connections often outlive the review cycle that created them, which means they accumulate risk even when nobody is actively using them. Security teams should stop treating SaaS trust as a setup decision and start treating it as an ongoing governance problem.

Continuous authorization is becoming the more meaningful control than initial authentication. If an attacker can authenticate as a legitimate user, the remaining question is whether access collapses to task scope or expands into enterprise reach. That is why the strongest identity programmes now control runtime behaviour across human, machine, and AI identities. The implication is straightforward: governance must move from admission to execution.

Identity blast radius: the size of the damage an attacker can cause after one trusted identity is compromised. The Canvas case demonstrates that blast radius grows where sessions, delegated credentials, and machine identities are left broadly valid. This is not a separate category of risk from IAM, it is the outcome of poor IAM design. The practitioner takeaway is to measure how far one identity can move before the incident becomes unrecoverable.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• Use Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs to connect that breach exposure to provisioning, rotation, and offboarding decisions.

What this signals

Identity programmes need to shift from authentication metrics to post-login control metrics. The practical question is no longer how many logins are blocked, but how much access remains after a valid login succeeds. With 72% of organisations reporting or suspecting NHI breaches, per The 2024 ESG Report: Managing Non-Human Identities, the governance gap is structural, not tactical.

Teams should expect SaaS trust chains to receive more scrutiny because delegated access is now a common breach path rather than an edge case. The next programme maturity step is to measure who can create, extend, or persist trust after initial authentication, especially where machine identities sit behind the scenes.

For practitioners

• Map post-authentication trust paths Trace where a valid user session can still create new device trust, access delegated SaaS connections, or reach privileged workflows after login.
• Inventory non-human identities by effective privilege Catalogue service accounts, tokens, automation accounts, and API grants by the data and actions they can reach, not by owner name alone. Use the Ultimate Guide to NHIs for lifecycle context and review the 52 NHI Breaches Analysis for failure patterns.
• Tighten device enrolment and session controls Block attacker-added devices from inheriting long-lived trust and require stronger validation when a new device is bound to an existing identity.
• Review vendor-held production access Reassess OAuth grants, API tokens, and SaaS integrations that can touch production data, then align them with the same review standards used for privileged internal accounts.
• Shorten the attacker's useful session window Use continuous authorization and rapid revocation so a compromised identity cannot maintain the same level of access across the full incident lifecycle.

Key takeaways

• The Canvas breach shows that identity risk is now governed by what a session can do after authentication, not just by whether login succeeds.
• Non-human identities and delegated SaaS access increase blast radius because they extend attacker reach beyond the original human account.
• Identity teams should prioritise continuous authorization, device governance, and vendor-held access review because those controls narrow the damage path.

Key terms

• Continuous Authorization: A control model that keeps evaluating whether an identity should retain access after it has already authenticated. For non-human and human identities alike, it reduces the damage from stolen credentials by tying permissions to current context, task scope, and runtime risk rather than a one-time sign-in event.
• Non-Human Identity: Any identity used by software, services, workloads, or automation rather than a person. These identities often hold persistent credentials or delegated access, which makes their lifecycle, ownership, and privilege scope central to identity governance and breach containment.
• Identity Blast Radius: The amount of damage an attacker can cause after compromising one trusted identity. In practice, it reflects how far a session, token, or service account can move across systems before access is revoked or constrained, and it is one of the clearest measures of IAM control strength.

Deepen your knowledge

Identity blast radius, post-authentication control, and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme to contain attacker leverage after login, it is worth exploring.

This post draws on content published by Delinea: After Canvas: How to reduce your identity risk now. Read the original.