Canvas online again as ShinyHunters threatens to leak schools’ data

Posted by stefanpie 19 hours ago

864 points | 568 commentspage 8

gigel82 19 hours ago|

Damn, all schools in our district in Washington moved to Instructure last year.

They moved away from Teams because it objectively sucked, but I haven't heard of widespread compromises like this in Microsoft's systems so...

ghqst 12 hours ago|

Well instructure is slightly better than the somehow legal torture of having to use the "product" Microsoft Teams

jrm4 16 hours ago||

Canvas shouldn't exist in its current form, and neither should have Blackboard.

It's always been as stupid as requiring that your chalkboard, chalk, chairs, bluebooks, pens, paper, gradebook etc etc all come from the same company.

I, for one, am very much looking forward to my IT Gov council meeting tomorrow.

SilverElfin 16 hours ago||

Terrible that this affects children and that their information may be ultimately leaked. They need to be greater consequences in the law for security breaches.

vinni2 19 hours ago||

I hate Canvas. I would rather run a course on GitHub. But our university forces it on us. And now this.

crazygringo 18 hours ago||

Do you remember how Canvas was a gigantic improvement over Blackboard?

And GitHub doesn't provide a way to record grades that remain private per student last I checked, much less sync them to the university, or 99% of other things Canvas does.

I don't love Canvas, but it's far, far preferable to a world without it.

poopmonster 18 hours ago|||

It is really convenient and stays out of the way. As much as I'm enjoying the mess, I am forced to appreciate its value.

bombcar 17 hours ago|||

> remain private per student last I checked

last I checked it appears grades remain private per planet or so ...

bombcar 17 hours ago||

How does Canvas compare to things like Moodle?

Or is it an entirely different class of beast?

wmoxam 16 hours ago|||

I've written a bunch of LMS integrations so I've had the opportunity to use all of the major LMSs. Basically, all LMS systems are rather user unfriendly and complicated with a ton of customization options hidden under layers of sub-menus/configuration settings. At their core they provide a grade book, student management tools, and some basic CMS type functionality for posting class messages/coursework/etc. They've all adopted a standard for interacting with external tools (LTI).

Canvas generally is the 'easiest' to use, and the 'cleanest' looking one although D2L Brightspace is pretty good too. Moodle out of the box is pretty confusing and ugly, but I've seen some heavily customized instances that look a lot better. Blackboard is the worst of the bunch IMO.

frollogaston 17 hours ago|||

Wow, I last used Moodle in 7th grade, 2008. It seemed like a similar thing.

swatson741 16 hours ago||

I saw this happen to my Canvas account today. At first I thought it was a prank from the school or Instructure. The message was sent to students which makes no sense. Second, the message that was sent basically implies that ShinyHunter is actively getting patched out, and no one is ever going to give into their demands. They're basically saying that they're done and desperate. It's a strange message for ShinyHunter to send, but I think they were trying to pull off a psyop / FUD.

Looking into the payload they sent me this is how they hijacked the screen. Everything in the payload is unchanged except for one line of code:

This links to the following styling sheet:

@import url('https://fonts.googleapis.com/css2?family=Orbitron:wght@500;7...');

html, body { height: 100% !important; overflow: hidden !important; margin: 0 !important; padding: 0 !important; }

body > * { display: none !important; }

body { display: flex !important; align-items: center !important; justify-content: center !important; background: #07080c !important; }

body::before { content: "" !important; position: fixed !important; inset: 0 !important; z-index: 999998 !important; background: radial-gradient(ellipse at 50% 20%, rgba(255,59,59,.06), transparent 55%), radial-gradient(ellipse at 50% 85%, rgba(125,70,152,.04), transparent 45%), repeating-linear-gradient(0deg, rgba(255,255,255,.035), rgba(255,255,255,.035) 1px, transparent 1px, transparent 3px), #07080c !important; pointer-events: none !important; }

body::after { content: "\A\A" "S H I N Y H U N T E R S" "\A" "rooting your systems since '19 ;)" "\A\A\A" "ShinyHunters has breached Instructure (again)." "\A" "Instead of contacting us to resolve it they" "\A" "ignored us and did some \201Csecurity patches\201D." "\A\A" "\26A0 W A R N I N G" "\A\A" "If any of the schools in the affected list are" "\A" "interested in preventing the release of their" "\A" "data, please consult with a cyber advisory firm" "\A" "and contact us privately at TOX to negotiate a" "\A" "settlement. You have till the end of the day by" "\A" "12 May 2026 before everything is leaked." "\A\A" "Instructure still has until EOD 12 May 2026" "\A" "to contact us." "\A\A" " \25BC DOWNLOAD AFFECTED_SCHOOLS.TXT \25BC" "\A" "91.215.85.103/pay_or_leak/" "\A" "instructure_affected_schools_list.txt" "\A\A" "visit us: shnyhntww34phqoa6dcgnvps2yu7dlwzmy5" "\A" "lkvejwjdo6z7bmgshzayd.onion" !important;

    position: fixed !important;
    z-index: 999999 !important;
    top: 50% !important;
    left: 50% !important;
    transform: translate(-50%, -50%) !important;
    white-space: pre !important;
    text-align: center !important;
    font-family: 'Fira Code', 'Share Tech Mono', monospace !important;
    font-size: clamp(10px, 1.4vw, 14px) !important;
    line-height: 1.55 !important;
    color: #c8dce8 !important;
    background:
        linear-gradient(180deg, rgba(255,255,255,.05) 0%, rgba(255,255,255,.01) 3.2%, transparent 3.2%) !important;
    background-color: #0d0f16 !important;
    border: 2px solid #ff3b3b !important;
    border-radius: 14px !important;
    padding: 16px 32px !important;
    overflow: hidden !important;
    box-shadow:
        0 0 35px rgba(255,59,59,.2),
        0 40px 90px rgba(0,0,0,.65),
        inset 0 0 0 1px rgba(255,255,255,.06),
        inset 0 0 50px rgba(255,59,59,.03) !important;
    animation: pulseWarn 2.5s infinite ease-in-out !important;
    max-width: 94vw !important;
    text-shadow: 0 0 6px rgba(200,220,232,.15) !important;

}

@keyframes pulseWarn { 0% { box-shadow: 0 0 20px rgba(255,59,59,.15), 0 40px 90px rgba(0,0,0,.65), inset 0 0 0 1px rgba(255,255,255,.06); } 50% { box-shadow: 0 0 55px rgba(255,59,59,.4), 0 40px 90px rgba(0,0,0,.65), inset 0 0 0 1px rgba(255,255,255,.06); } 100% { box-shadow: 0 0 20px rgba(255,59,59,.15), 0 40px 90px rgba(0,0,0,.65), inset 0 0 0 1px rgba(255,255,255,.06); } }

The hack is crude, and it seems unlikely that they have any access to Instructure's developer tools.

Michael666 4 hours ago||

[dead]

aibudaev 11 hours ago||

[dead]

boxingdog 18 hours ago||

[dead]

quiint 20 hours ago||

[dead]

cindyllm 17 hours ago|

[dead]

More comments...