Canvas is down as ShinyHunters threatens to leak schools’ data

Posted by stefanpie 15 hours ago

764 points | 472 commentspage 4

acomjean 10 hours ago|

I used canvas for some Harvard extension classes 10 to 5ish years ago. It worked Ok. Work distributed, grades posted. I didn't realized so many schools used it, or that it was all schools on one instance, which seems kind of nuts.

I lost access when I left as it was tied to my work email. I downloaded a lot, but there was still some useful stuff on the boards.

I wonder what the havkers found out about me. Perhaps the class notes will be lifted to train AI, higher quality than a lot thats on the internet anyway.

Gigachad 10 hours ago|

I discovered one of my old school assignments ended up on some homework help website. I had never posted this document publicly and had only uploaded it to the schools work submission page. Presumably at that point it was shared with multiple third parties for plagiarism checking and such. And then was exposed to a data breach years later and ended up on the public internet.

alexalx666 4 hours ago||

Respect to Canvas sales team, its like microsoft level platform lock-in into low sec infra

spmartin823 9 hours ago||

One thing I remember from my days in the LMS world is that obfuscated copies of prod tenants were used for testing. Almost every dev had at least one tenant from prod on their local computer. So with some de-obfuscation at least some of the data is plausibly retrievable. Whether that data is also public depends on how the negotiations go.

bagels 14 hours ago||

It's been a long time since I was in school. What does this software do?

mbreese 14 hours ago||

It is how classes (even in person ones) are organized. Assignments, quizzes, links to online textbooks, discussion boards, student/teacher messaging, student group messaging, etc. From the teacher side, I'm not sure if there is a backup copy for things like grades outside of Canvas. It's that pervasive.

Everything from middle school up to grad school.

It's a particularly interesting time to have this happen too -- many finals going on now.

windows_hater_7 14 hours ago|||

It’s a “learning management system.” It replaces a course website in most instances. It’s also used for course grades and you can submit assignments or take quizzes.

Jtsummers 14 hours ago|||

Grades, lessons, quizzes, exams, homework submission, rosters, messaging platform. Lots of things.

adampunk 14 hours ago||

If you’re a student or teacher: nearly everything that matters. Homework, materials, lectures, grades. It’s all on canvas.

kzrdude 1 hour ago||

For my uni: mostly only lecture notes and materials.

kristianp 17 hours ago||

Qld, Australia was also affected: https://www.itnews.com.au/news/qld-gov-says-students-staff-c...

protocolture 12 hours ago|

QLD Government vendor selection is always terrible.

echelon 1 hour ago||

> ShinyHunters

Is that a Pokemon reference?

tabarnacle 1 hour ago|

Yes

poopmonster 14 hours ago||

Student at an impacted university here.

Our whole testing center is down. This is inconvenient, but mainly it's amusing. I swear strangers are talking to each other more. I'm noticing people just sitting in the sun and relaxing. Nature is healing.

(Of course, plenty of people have also just finished their exams, so it's hard to know the cause.)

Any idea what data Instructure-and-also-now-ShinyHunters even purport to have beyond names, profile photos, pronouns, homework assignments, school communications, phone numbers, and email addresses?

i.e. What makes this threat so different from what any old data brokers have already scraped?

What leverage besides aura farming do the ShinyHunters really have?

All I can think of that's really valuable is passwords. And private communications in Canvas DMs. But if you're being at all intimate over your school email, that's kinda on you.

Anyway surely Instructure only stores user public keys or something?

Alternate history question: If they just sold the data, never revealed the hack, and didn't make a scene, from a customer perspective, how different would this be from business as usual?

bigfatkitten 17 hours ago||

I use Canvas for some postgraduate studies, and my teenage daughter uses it at her high school.

We already bond over how awful the Canvas UX is (and she has a bunch of Chrome extensions to improve it.) Now we’ve got something else to gripe over together.

auxiliarymoose 14 hours ago||

It is open source, so you could send pull requests with improvements: https://github.com/instructure/canvas-lms

scratchyone 9 hours ago||

https://github.com/instructure/canvas-lms/pulls?q=is%3Apr+is...

haha i went to go check and they haven't merged a PR since 2017

gareim 9 hours ago||

Look by is:closed instead. They don't merge the PR directly.

copperx 15 hours ago|||

I vibecoded a pretty extensive CLI for Canvas and using it is very pleasant. Joyful, even, when combined with an LLM. Especially when compared to the developer hostile Blackboard Ultra.

j027 14 hours ago||

Canvas seems like it’s not that great. But if you then use Blackboard Ultra it makes canvas look amazing.

ThrowawayR2 14 hours ago|

I wonder when the public is going to start calling for corporate liability for malpractice in software development and corporate liability for malpractice in IT deployments. Even if the tech industry fights it, it probably won't be that much longer.

brendanyounger 14 hours ago||

I'll never understand this point of view. If someone would please explain how to create perfectly secure software, I will gladly start writing perfectly secure software. Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.

Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths. Malpractice insurance is high. Litigation is constant. And patients still die on the operating table. It's unclear what all the malpractice tort law actually gets you in the end.

cortesoft 13 hours ago|||

> Only after, if it's clear I ignored obviously correct advice, should there be malpractice penalties.

In most of these cases, the companies involved did NOT follow standard security practices.

I am pretty sure that is what people mean when they say "held responsible", they mean "held responsible for failing to follow standard security practices", not for the actual act of getting hacked.

ThrowawayR2 12 hours ago||||

> "Consider surgery instead of software development."

Is that really the analogy you want to use the bolster your argument? Licensing was forced on the medical profession because of rampant quackery causing a large number of deaths. Some of the horrors that went on before enforced medical licensing are well-nigh unbelievable, e.g. https://en.wikipedia.org/wiki/John_R._Brinkley

kelnos 12 hours ago||||

I agree that even if companies do everything right, they can still get popped. But most companies do not do everything right, and they should be legally responsible for those things.

But even if they do everything right, is it really fair to let the companies just shrug their shoulders and say "it happens"? While their users are the ones who really get hurt.

dylan604 13 hours ago||||

> Consider surgery instead of software development. There are general best practices, but the difference between a good surgeon and a poor one is a small number of deaths.

I like this analogy, but deaths shouldn't be the leading indicator just an indicator. Family member had a surgery with well known procedures, say removing a gall bladder. Unfortunately, this surgeon skipped a step in lieu of setting a record for fastest procedure. Because steps were skipped, the gall bladder was not scooped into a net to avoid spilled gall stones which resulted stones spilling into the abdominal cavity requiring numerous follow up surgeries to remove the spilled stones as they made themselves known. So clearly not following accepted procedures should be a clear win in a malpractice case, yeah? Wrong. No doctor would testify against the surgeon and the case was dismissed. I feel like this is exactly how it would work in software security incidents as well.

dctoedt 12 hours ago||

> this surgeon skipped a step

That was the foundational premise of Dr. Atul Gawande's book The Checklist Manifesto, an expansion of his article The Checklist in The New Yorker [0]

[0] https://www.newyorker.com/magazine/2007/12/10/the-checklist

harikb 14 hours ago|||

Well, you don't know how many more would have died if doctors and hospital didn't care about their insurance going higher???

cortesoft 13 hours ago|||

I do wonder if that won't just end up INCREASING ransom-type attacks, though?

If we increase the penalties for a company being hacked, you create even MORE incentive for hackers to try to break in, because if they succeed, they have a pretty big stick to threaten companies with when demanding a random payment - not only will the company have the negative effect of the data being leaked and the PR that accompanies it, they now know that if they don't pay and the attack becomes public knowledge, they face a big fine or other punishment.

A company is much more likely to pay a big ransom if they know they are just going to end up paying that much or more in fines if they refuse the ransom and report the hack instead.

If you take this route, and increase punishment for being hacked, you are making a pretty big bet that the main reason companies are hacked is because of poor security practices. I am not sure if that is true or not.

ThrowawayR2 12 hours ago||

There's precedent for simply making it illegal to pay the ransom, e.g. https://www.reuters.com/world/uk/uk-plans-ban-public-sector-...

berti 14 hours ago||

That is already happening in the EU [1][2]. Most of the world will catch up soon I suspect, with some notable exceptions.

[1] https://digital-strategy.ec.europa.eu/en/policies/cyber-resi... [2] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_...

More comments...