Notifications
Clear all
Topic starter
03/06/2026 2:24 pm
TL;DR: ShinyHunters stole 3.65 terabytes of data from Canvas after gaining access through voice phishing, credential harvesting, and MFA device registration, according to Delinea. The breach shows that once credentials are captured, security depends on continuous authorization and NHI governance, not just login controls.
NHIMG editorial — based on content published by Delinea: After Canvas: How to reduce your identity risk now
By the numbers:
- ShinyHunters stole 3.65 terabytes of student and faculty data and replaced the Canvas login page with a ransom demand.
- Canvas was trusted by more than 8,800 educational institutions worldwide.
- Delinea Labs has documented that 75% of organisations experienced a SaaS security incident in the prior 12 months.
Questions worth separating out
Q: How should security teams implement continuous authorization after login?
A: Start by treating authentication as the beginning of control, not the end.
Q: Why do non-human identities increase breach impact in SaaS environments?
A: Because they often hold persistent permissions that human controls do not regularly revisit.
Q: What do security teams get wrong about MFA in identity attacks?
A: They often assume MFA ends the problem once the code is entered.
Practitioner guidance
- Map post-authentication trust paths Trace where a valid user session can still create new device trust, access delegated SaaS connections, or reach privileged workflows after login.
- Inventory non-human identities by effective privilege Catalogue service accounts, tokens, automation accounts, and API grants by the data and actions they can reach, not by owner name alone.
- Tighten device enrolment and session controls Block attacker-added devices from inheriting long-lived trust and require stronger validation when a new device is bound to an existing identity.
What's in the full article
Delinea's full blog post covers the operational detail this post intentionally leaves for the source:
- A step-by-step description of the Canvas breach sequence from vishing to ransom demand
- Specific examples of how Delinea says continuous authorization is applied across human, machine, and AI identities
- The vendor's own breakdown of SaaS trust exposure, including vendor credentials and delegated access paths
- Operational product examples for real-time authorization and privileged access control
👉 Read Delinea's analysis of the Canvas breach and identity risk →
Canvas breach lessons: are your identity controls keeping up?
Explore further
03/06/2026 2:31 pm
Authentication is not the boundary anymore. The Canvas breach shows that identity risk now begins after the login event, not before it. Once an attacker can present valid credentials and a registered device, the control question shifts to what that identity can still reach. Practitioners should read this as a governance failure in post-authentication scope, not a failure of sign-in alone.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when vendor credentials touch production data?
A: The organisation that owns the data remains accountable even when access is delegated to a vendor. OAuth grants, API tokens, and federated connections should be reviewed as part of the organisation's identity perimeter, not left to initial onboarding decisions. If those credentials can reach production, they need the same governance as internal privileged accounts.
👉 Read our full editorial: Canvas breach shows why identity risk now spans every identity
