Canvas online again as ShinyHunters threatens to leak schools’ data

Original Article ↗ Hacker News Discussion ↗

Scale and Immediate Impact

  • Reports from students, parents, and staff worldwide that Canvas instances went down or showed a ShinyHunters ransom/defacement screen.
  • Affects K‑12, universities, entire state systems, and international institutions (e.g., Australia, Iceland). Timing coincides with finals, midterms, AP exams, and graduation deadlines.
  • Many testing centers shut, online exams interrupted mid‑attempt, grades inaccessible, and some finals cancelled or moved to email/Google Drive/paper.

Technical and Architectural Issues

  • Multiple commenters say this is at least the “second wave” after an earlier breach in late April/early May.
  • Canvas is described as a large multitenant Rails app backed by many Postgres clusters; compromise of app servers can expose “keys to the kingdom.”
  • Defacement appears to have been implemented via a malicious CSS override loaded from an Instructure-controlled S3 bucket.
  • DNS examples show many institutions’ Canvas subdomains CNAME into instructure.com, reinforcing a single-provider, shared‑infra dependency.

Communication and Incident Response

  • Users criticize Instructure for labeling the outage as “scheduled maintenance” or generic “under maintenance,” with little direct acknowledgment of a breach.
  • Some institutions say they are getting almost all technical detail from third‑party forums rather than official channels.
  • Status pages sometimes mark instances “up” because the maintenance page loads, masking true downtime.

Data Exposure and Risk

  • Attackers claim to have data for 8,000+ institutions and threaten to leak it by a specific date unless paid.
  • Concerns about exposure of PII, grades, old course shells, private student–faculty messages, and possibly transcript data via acquired service Parchment (Parchment’s status page says no impact seen so far).
  • People worry about long‑retained historical student data (including minors) and lack of deletion policies.

SaaS vs. Self‑Hosting Debate

  • Strong debate over whether universities should:
    • Keep using centralized SaaS (Canvas, etc.).
    • Self‑host open‑source LMSs (Canvas, Moodle, Sakai).
    • Or even build/maintain in‑house systems.
  • Arguments for SaaS: economies of scale, feature richness, historical on‑prem failures, and staffing limits.
  • Arguments for self‑hosting/homegrown: reduced blast radius, local control, better alignment with academic missions, and less vendor lock‑in.

Liability, Law, and Ransom Policy

  • Many call for stronger legal consequences for lax security, including corporate officer liability and automatic civil penalties per leaked record.
  • Others caution that:
    • Perfect security is impossible.
    • Over‑criminalizing victims may backfire or increase incentives to pay ransoms secretly.
  • Mixed views on banning ransom payments entirely; some see it as essential deterrence, others as unrealistic or harmful in life‑or‑death contexts (e.g., hospitals).