[內容說明]
近日國外多所學校通報，攻擊者針對 Canvas 線上教學平台進行帳號盜用與釣魚攻擊，可能透過偽造登入頁面、假冒課程通知信件或第三方外掛程式，誘騙使用者輸入帳號密碼。

[影響平台]
Canvas所有產品

[建議措施]
為避免帳號遭盜用及資料外洩，請使用者提高警覺，並配合以下安全措施：
一、確認登入網址：請透過學校官方入口或書籤登入 Canvas，避免點擊來路不明之郵件連結。

二、勿於可疑頁面輸入帳號密碼：若頁面出現異常登入要求、重新驗證或 MFA 驗證通知，請先確認網址正確性。

三、啟用多因素驗證（MFA）：建議已支援 MFA 功能之使用者儘速啟用，以降低帳號遭盜用風險。

四、留意異常通知：請注意是否有非本人登入紀錄、收到異常驗證碼通知、課程出現不明公告或訊息，帳號自動寄發異常郵件等現象。如發現上述情形，請立即修改密碼並通知資訊單位。

五、避免重複使用密碼並更改密碼：請勿將Canvas 密碼與其他網站或系統共用，並建議定期更換密碼，以提升帳號安全性。如發現帳號遭盜或資料外洩情形，請遵循資通安全事件通報應變及演練辦法之規定，進行通報。

六、有關本次事件處理進度如官網公告。https://www.instructure.com/incident_update

[參考資料]
1. https://www.instructure.com/incident_update
2. https://data.dailycal.org/2026-05-07-shiny-hunters
3. https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=12906
4. https://www.ithome.com.tw/news/175580

[Content Description]
Recently, several overseas schools have reported that attackers have been targeting the Canvas online teaching platform with account theft and phishing attacks. These attacks may involve forged login pages, fake course notification emails, or third-party plugins to trick users into entering their account passwords.

[Affected Platforms]
All Canvas products

[Recommended Measures]
To prevent account theft and data leakage, please be vigilant and implement the following security measures:

1. Verify the login URL: Please log in to Canvas through the official school portal or bookmarks. Avoid clicking on links in emails from unknown sources.

2. Do not enter your account password on suspicious pages: If a page displays abnormal login requests, re-verification, or MFA verification notifications, please verify the URL is correct.

3. Enable Multi-Factor Authentication (MFA): Users who already support MFA are advised to enable it as soon as possible to reduce the risk of account theft.

4. Pay attention to abnormal notifications: Please be aware of any unauthorized login records, receiving abnormal verification code notifications, receiving unclear announcements or messages for courses, or your account automatically sending abnormal emails. If you discover any of the above situations, please change your password immediately and notify the IT department.

5. Avoid reusing passwords and change your password frequently: Do not share your Canvas password with other websites or systems, and it is recommended to change your password regularly to improve account security. If you discover that your account has been stolen or your data has been leaked, please report it in accordance with the regulations of the Information and Communication Security Incident Reporting, Response, and Drill Procedures.

6. The progress of this incident handling is as announced on the official website: https://www.instructure.com/incident_update

[References]
1. https://www.instructure.com/incident_update
2. https://data.dailycal.org/2026-05-07-shiny-hunters
3. https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=12906
4. https://www.ithome.com.tw/news/175580