Canvas online again as ShinyHunters threatens to leak schools’ data

I've never used Canvas before, but all the LMSes that I've used allow students to enable emails whenever anything is updated, including when grades are posted. This is off by default because it's often 10+ emails a day, because many teachers post notes once a day, and with 5 classes, that adds up pretty quick. I personally have it enabled because it's pretty manageable with some custom Outlook rules, but setting this up is well beyond the capabilities of most students.

Students having records of what their score was doesn't prove to the professor / university what score they received. "FWD: Exam 1 Results" is not especially auditable.

Makes me glad I've always avoided doing my work on web platforms. When we used to have to make presentations in Google Slides I used to do them in Org-mode, then export to Sheets. I still have all those assignments sitting on my disk. Sure, there's versions of them on Google Drive, but I always make sure that the canonical version is the one on my disk.

> They don’t do it, because they want to control the data.

Ironically, this incident shows they don’t have control of anything.

>It’s so simple to send an e-mail to the student ...

What seems easy on hobby projects gets way more difficult at scale. Source: experience.

I guess what surprises me the most is that it’s even legal for schools to outsource the core of what they do to some random tech company.

Either way, they were under no obligation to adopt this garbage technology regardless of whether it’s available, so this is 110% on them.

That's an interesting question and one I'd like to know an answer to as well.

What is the strategic response then? Assuming I'm a student and my grades are gone, and I want to graduate, shouldn't I pick pass/fail?

Does a future employer look at pass/fail vs the grade? do they care? Are there even jobs that matter enough to care out there for them?

This seems like, solving the problem but without actually seeing the broader goal or trajectory education is supposed to follow.

> day where you can deploy your own software you can control and modify as you need.

Canvas is mostly FOSS

https://github.com/instructure/canvas-lms

Universities are not going to write their own software, and no they can’t use ‘agents’ to write and maintain it for them either.

I don't have a list, but I can tell you the University of Iceland is affected.

Spain here. Most of our public Universities have their IT stack on MS... I cannot fathom how much of our national budget goes to their pockets.

Thankfully, I store my teaching materials on my personal non-uni webpage, and the student's marks in my office's computer (apart from the MS-based Uni system).

Whenever something happens with MS, chaos ensues throughout the whose Uni and the students end up paying the consequences.

Teams and SharePoint eventually infect any organisation that uses Office.

There are plenty of European Canvas customers.

> they are likely using all the materials faculty upload to train their AI replacements

Instructure (Canvas's developer) partnered with OpenAI last year [1], about a year after KKR and Dragoneer (PE firms) acquired it [2].

[1] https://www.forbes.com/sites/rayravaglia/2025/07/23/instruct...

[2] https://www.pehub.com/kkr-and-dragoneer-complete-4-8bn-take-...

instructure/canvas-lms is open-source -- is there anything preventing universities from hosting it themselves?

I'm sure the engineers at instructure are not capable of building systems that can do that. You give them too much credit.

This is awful to hear. The idea that students are just half assedly streaming the lectures is really just ruining things in the long run. This is a bit old manny, but showing up to lectures is good. You go to class, you get face time with professors, you can ask impromptu questions, you rub elbows with classmates, you talk on the walk between classes, you maybe run into a cute girl. Friction like walking to class and finding a nook in that annoying hour gap you have, are the things that make life enjoyable.

What a failure of university leadership to allow or even encourage that practice

> Not much overlap between students and HN these days, though?

That's my biggest fear.

Definitely not a criticism of your (hard) work here. Thank you!

We all appreciate the work you do! Thank you!

Final exam season, and it's ongoing in Iceland too, so not just American students.

European students are preparing for their finals.

Here in the UK it's currently exam season. One of my son's had a GCSE exam just today.

Canvas has an easy way of checking if a pdf or other course material is accessible, so many universities are forcing faculty to put all their materials on Canvas. That way if a pdf or powerpoint is not compliant it is immediately flagged. The goal is to reach a "100% accessible" metric.

Note that little of this really helps the students that it is supposed to help, because as you wisely point out, raw HTML is almost by definition extremely accessible. I work in a field that uses Latex and the source code of Latex should also be considered more accessible than the compiled pdf. But for university administrators the only important thing is that the accessibility metric that appears (or used to appear, before today!) on Canvas shows 100% accessible.

Why does everything have to be 100% accessible?

I'm a prof. When I have a student with special needs in my class, the administration tells me ahead of time. I make the necessary allowances - and those differ from case to case, anyway: whether it's extra time in exams, or someone who is deaf, or someone who is blind, or whatever.

When it happens, I make the necessary allowances. When I don't, then...I don't.

The obsession that everything has to be 100% accessible, for every kind of disability, all of the time? That's just nuts, not to mention a complete waste of resources.

I don't think that criminal negligence is the most helpful legal tool for incentivizing improved security. It's too hard to prove negligence.

Instead, there should be standard civil penalties for leaking various degrees of PII paid as restitution to the affected individual. Importantly, this must be applied REGARDLESS of "certification" or whether any security practices were "incorrect" or "insufficient". Even if there's a zero-day exploit and you did everything right, you pay. That's the cost of storing people's secrets.

This would make operating services whose whole "thing" is storing a bunch of information about individuals (like Canvas) much more expensive. Good! It's far to cheap to stockpile a ticking time bomb of private info and then walk away paying no damages just because you complied with some out-of-date list of rules or got the stamp of approval from a certification org that's incentivized to give out stamps of approval.

How could you possibly make it illegal to host insecure services? Is any service 100% secure? And if it were how would we know?

I do agree with the audit and punishments for clear failure to adhere to established standards.

If Boeing claimed a plane was airworthy, but it crashed because basic engineering controls were skipped, we have collectively put our faith in the NTSB to preserve evidence, run an independent technical investigation, etc. There is no such authority for software - most security auditors (SOC2, HITRUST, etc) are just looking at self-reported data.

Just take a look at the recent Epic vs. Health Gorilla lawsuit to see how nonexistent the protection is around exchanging your medical records, one of the most sensitive types of PII.

People who haven’t been hacked just haven’t been looked at. If someone wants to hack you, they will hack you. It’s really unfortunate that people have this level of confidence in their ability.

Here’s an example. https://hacks.mozilla.org/2026/05/behind-the-scenes-hardenin...

I think you're 100000% correct.

These problems will continue as long as it is legal to operate in an unsafe way.

We've learned this in every other industry, but we can't seem to accept it in software. One of my hopes for AI is that it reduces the cost to behave responsibly to a level where this absurd resistance to acting responsibly erodes.

Has a corporate officer ever gone to jail or been meaningfully fined for a data breach?

I have a simpler view on this.

Every service that is online will be hacked eventually, it's only a matter of time.

Time is the most powerful force in the universe.

> Incidents like this should be followed by an audit and charges being laid

What? Why? Who died? This whole thing is perfectly dealt with through civil process.

I think the cat is entirely out of the bag on that one, I’m afraid.

There are no shortage of coins and no shortage of sketchy exchanges. The platforms do work with LEOs, when asked, but my understanding is that unless the perp was a serious nonce, chasing the transfers themselves is a fools errand.

Criminals should focus on proven methods, like Steam Gift cards.

But, then, how would Trump’s family and cronies get paid?

[dead]

Ok, so we treat it as an act of war. Now what? Attack North Korea? Great, the entire city of Seoul gets shelled within five minutes of your attack and hundreds of thousands of innocent people die.

It's very easy to play with lives that aren't yours.

How do you know which country to blame? It is standard practice for foreign actors (or just hackers in general) to use proxies around the world to misdirect and insert false clues as to their origin. It could be an American teenager proxying through North Korea, and it could be a North Korean proxying through another American teenager's residential connection, there's no way to know.

They already do. This is what asymmetric warfare looks like, your weakest links will break in a time of crisis. Focusing on retribution for the Dunder Mifflin cyberattack is pointless, the adversarial motivation is purely to disrupt and extort.

The best response to a cyberattack on critical systems is to take security seriously. Document the offense, avoid the same mistakes and invest in penetration testing. Of course, nobody is incentivized to do that until they're attacked, so the cycle perpetuates itself.

> When will countries start treating cyberattacks as an act of war?

When appropriate. I.e. never.

Uh, who determines that the infrastructure wasn't properly secured? Who is willing to risk prison because some intern accidentally committed an API key or made a dumb mistake. Conversely, what's the chances that no one actually gets prosecuted regardless of how sloppy their security practices are?

interestingly, having actually done the law enforcement side of these investigations, 50% of them are local. And I understand that this is not 100% solution, but neither is any form of law enforcement, but that doesn't mean we should fail to attempt it.

Kids from the local uni having a lark, stalkers, vindictive ex employees, local gangs, criminals who understand their victims because they hail from the same community. These are your local hackers. Sift them from the nation states and international crime groups, then deal with the International as a matter of diplomacy. Because we do this so poorly locally, we have little ammunition to when it comes to diplomacy. "reduce attacks by your crime groups and we buy your natural gas, seel you wheat etc"

Want more motivation?- 75% of the local attacks by volume send funds back to terrorist or separatist organizations.

It is not an in-soluble problem. Sentences are a fraction of the answer, effective and receptive reporting processes are more important, then government backing for investigation and enforcement, then policy around home-team activities (ie don't do the bad things yourselves Mr Gov). Deterrence comes after all that.

Yeah, they identified themselves as ShinyHunters, and the IP they've put on the demonstration page is geocoded to Russia. Notice this is the same group responsible for the Infinite Campus hack last year.

Really, though, if you want someone to blame, Instructure is not a particularly compelling target. Let's review:

1. Iran is intentionally targeting infrastructure due to a war started by the current administration.

2. China is actively seeking corporate secrets to steal and commercialize for themselves, spurred by extreme protectionism and retaliatory tariffs.

3. North Korea is doing anything they can -- including just taking a remote job by proxy -- in order to extract any money.

4. And Russia is working with and aiding all of them, after everything else going on has forced the embargo to break.

5. All of this while completely alienating every single one of the United States' allies.

6. Meanwhile, the American DHS is currently shut down.

7. And this is after Trump cut funding and personnel for CISA severely enough they've had to end the contract with MS-ISAC, meaning all state and local entities can only remain in the organization if they foot the bill for it directly and CISA and other agencies responsible for cybersecurity are more thinly staffed than they have been in decades.

In short, the current administration systematically disassembled all the protections we have built over the last 100 years, and then placed infrastructure -- schools, in this case, but also power companies, water treatment facilities, communications companies, local governments, hospitals, food producers -- directly on the front lines of the modern geopolitical conflict.

That vast ocean that has kept us safe historically is a poor moat in the modern era.

Complete internet blockage of nations allowing the attacks. If foreign governments are you can always execute them. We are living in a different world where this is no longer a zero probability occurrence.

felony murder is pretty widely regarded as a leading factor in incredibly unjust prosecutions and sentencing decisions. perhaps not the best concept to build your ideas on top of.

There is no need to reinvent any wheels by making a homegrown LMS. Moodle exists and is completely open source. Lots of large institutions use it. Even in the case that you need to do something really weird with it that isn't solved by one of the many plugins that exist, you're already 90% of the way there with its base platform, and only 10% remaining for DIY software development.

> LMS's are also just really complicated pieces of software

it's MIT.

The university I went to established has a rule that was essentially "student made software is not permitted to be used." Professors couldn't actually use student made software, the software had to be wrapped up by a "company" and a contract made. This meant that you couldn't just make a tool/utility/whatever and have it be used.

I believe the same applied to the professors themselves, although that was hardly enforced.

I think the current situation shows that outsourcing is also expensive. The costs are just different or not always clear up front.

… so?

My highschool, for a while, had a website, which was eventually replaces by a large corporate CMS. Was the website as complicated or complex as the CMS? No, you would have needed to know HTML to publish to it. The CMS was no doubt "more user friendly", I suppose.

But … the original site had a soul. It was unique to the school. There was a student directory! All lost, because the CMS meant utter standardization between all the schools using it (their pages were all identical, except for each got like a different picture of the school as the banner at the top) and the CMS did not do directory anything.

Of course, the directory largely didn't matter in the end. (This was when you needed people's landlines! Quite laughable nowadays…) But it was still sad to see it lost, and several of us students worked on it, which provided us with some early real-world experience.

A large number of my college professors published their own sites, too, where they'd put their lecture notes, homework, etc. I loved those far more than I loved "Canvas" or whatever the ugly LMS we used was.

I didn't read their comment as a slight to the IT staff, just MIT's decision.

It has been over 5 hours now and there has not been any communication about this being an attack, despite many of us seeing the ShinyHunters message on the login page.

There is a lot of people who likely are unaware the latest outage is because they were compromised again.

Them marking the incident as 'Under Maintenance' means the status page isn't reporting this as an outage and adding to downtime%.

I was going to make a joke that they should have just taken a page from the military and said “Rapid Unscheduled Maintenance”, but I guess that’s actually the phrase for it.

Once again, an example of why corporations should not have free speech. Corporate statements that are transparent lies should be criminally actionable.

My daughter is in 3rd grade and has to do assignments online.

Last month it was a presentation. She had to make a poster that would be displayed on the big electronic "whiteboard" running Windows of some sort. The page layout software was so terrible that she repeatedly deleted the entire thing on accident moving text around.

This month, it was a short paper she had to write in Word, but through Teams. Literally, the Word icon is in the Teams sidebar, and she also had all kinds of trouble with it freezing or misbehaving.

In both cases, I advised her to write all the content in Notes in macOS and when she had it all ready to go we'd paste it into the crappy software so she didn't have to worry about losing any more work.

Long story short, she's non-technical and she's learned a very valuable lesson about these systems and how much trust to place in them.

It's not so bad, I'd say the Christmas PS3 hack was worse

That it tends to provoke unproductive comments like this one. https://news.ycombinator.com/newsguidelines.html#comments

Yeah like their page says "Scheduled Maintenance" which is total B.S. Talking to people at my university's IT side of things Canvas has said nothing to any clients.

It's annoying that this is how internal politics usually works. Decision-makers at an org should be considered just as responsible when a third-party choice goes bad as when an internal tool goes bad.

You’d think this is how it works but universities and schools will still end up holding the bag at the end of the day, irrespective of who is responsible.

> It's interesting that it's the universities being ransomed, while the technical failure was Instructure's.

My guess would be they get likelihood of getting paid when blackmailing 9,000 schools (at least a few would pay up) than blackmailing Canvas/Instructure.

I don't think any SLA/terms would change who gets to feel the pain.

My guess is that they believe by maximizing their attack coverage, the odds are greatest that some of the institutions will pay up. And otherwise, they can still make a bit of money by selling the data.

Don't ransom all your eggs in one basket

But you don't extend that same argument for an agricultural research department by asking them to have a homegrown farm for supplying the university with food!

I dont think a competent CS department requires their being a homegrown or on-prem system for use in the university. That could happen, but if resources could be better spent by purchasing rather than building, then that should be the correct choice.

Canvas is open-source and can be self-hosted.

Moodle?

I believe Canvas was also sold to private equity pretty recently too. https://www.instructure.com/press-release/instructure-to-be-...

My wife and I each have to use it as we're both following an online master's at the same university... it's definitely gone downhill (compared to the days where I originally used it ~20 yrs ago in college; tracker-riddled, slow); surprisingly, a recent change made it so that you can only attend online lessons in Chrome (haven't had time to see if this is just a user-agent thing).

..and be acquired by PE so the cycle can continue.. https://www.instructure.com/press-release/instructure-to-be-... sigh. Barbarians at the gate probably didn't double down on security

LMS’s are a lot like programming languages. There’s the ones people complain about and the ones no one uses.

I actually disagree, based on my time using Blackboard as an admin, student, and teacher. Although my experience is a few years out of date, I found the interface cumbersome and the performance slow.

"Equivocal describes something ambiguous, uncertain, or open to multiple interpretations, often used to intentionally mislead or evade."

do you mean equivalent ?.

Blackboard got a lot better in response to the flood of customers heading to canvas.

That sounds like “circa 2010” to me. And Canvas was launched in 2011, according to the article you linked.