FRESH

Hacker News

Home

Canvas is down as ShinyHunters threatens to leak schools’ data

697 points by stefanpie

by blahedo

15 subcomments

Perspective from the trenches: I teach at a university that uses Canvas. We are in our final exams period right now.
We got our first email (from Academic Affairs) notifying us that it was down at 5:17pm EDT this afternoon, with little info; followup emails were sent at 6:24 and 6:57 with more info, but mostly about how we would be compensating for it and not about what actually was going on (other than, "nationwide shutdown" and "cybersecurity attacks", no further detail). I don't get a sense that they know much more than that, not that I would expect them to.
A perhaps telling detail: they're instructing us to have students email us directly with any work that had been submitted via Canvas. That suggests that they have no particular confidence that it will come back up soon.
I personally am only slightly affected; as a CS professor a lot of my students' work is done on department machines, and submitted that way, and I do the actual exams on paper. More importantly, I've never liked or trusted Canvas's gradebook, and so although I do upload grades to Canvas so students can see them, my primary gradebook is always a spreadsheet I maintain locally.
But I have a lot of colleagues for whom this is catastrophic at a level of "the whole building burnt down with all my exams and gradebooks in it"---even many of those that teach 100% in person have shifted much or all of their assessment into Canvas (using the Canvas "quiz" feature for everything up to and including final exams), and use the Canvas gradebook as their source-of-truth record. We've been encouraged to do so by our administration ("it makes submitting grades easier"). For faculty in that situation, they have few or zero artifacts that the students have produced, the students themselves don't have the artifacts to resubmit via email because they were done in Canvas in the first place, and they have no record of student grades or even attendance (because they managed that all inside Canvas). I guess they have access to the advisory midterm grades from March, if they submitted them (most do, some don't), but that might be it.
My gut feeling on this is that this is either resolved in hours (they have airgapped backups and can be working as soon as they can spin up new servers), or weeks (they don't). Very little in-between. And if that's true and we wake up tomorrow with this unresolved, I really have no idea what a lot of professors at my university and across the country are going to do to submit grades that are fair and reasonable. In the extreme case, they may have to revert to something we did in the pandemic semester (and before that, at my school, in the semester that two major academic buildings actually did burn to the ground a week before finals): let classes that normally count for a grade just submit grades as pass-fail. Because what else can you do?
(Well, one thing you can do is not put your eggs all in one basket, and not trust "the cloud" quite so much, but that ship's already sailed. I do wonder if in the longer term, anybody learns any lessons from this....)
UPDATE: As of 11:45pm EDT, my university's canvas instance is up and running! Here's hoping it stays (but I'll be downloading some stuff just in case...)

by Gabriel54

8 subcomments

I'm surprised how few comments there are on this thread. This is probably affecting millions of students at the most stressful time of the year.
Incidentally I've always hated Canvas and probably every other LMS provider, but what is particularly amusing about this current outage is that it is occurring at exactly the time when universities are demanding that all professors put all of their materials on Canvas, without exception, due to ADA compliance regulations. It is explicitly forbidden for professors to, e.g., refer to pdfs posted on a personal website.
Other commentators here seem not to understand that many faculty also do not enjoy being forced to use Canvas.

by myrandomcomment

17 subcomments

1. It should be illegal for any company to pay ransomware attacks. Period. No pay out ever. 2. The penalty for being the attacker should be linked to the system they violated. If you do this to a hospital and someone dies you are life in prison / chair. The minimum sentence should be so painful that it deters the attack.
No this will not stop this and companies need to be held accountable for their lack of security investment. Every attack should be investigate if the company met an agreed industry standards best practices and staffing, etc. The penalties for not meeting the requirements should be punitive.

by kelnos

5 subcomments

A friend who teaches at MIT said they were hit by this. I found it ironic and a little sad that a place like MIT doesn't have an IT staff that can maintain their own on-prem solutions for things like this.
But it turns out that MIT used to have their own homegrown system, and recently switched to Canvas. Bet they're regretting that now.
The build vs. buy decision seems to have swung very hard toward buy in the last decade, and I think that's a shame. Yes, orgs need to focus on their core competency, and sometimes that means outsourcing things that aren't core competencies to third parties. But there are always downsides.

by BooneJS

2 subcomments

My kids are in the middle of their finals week. What a mess. Universities know nothing, Canvas claims to be in a "scheduled maintenance", and one Prof claims to "not have any copies of material offline" which seems pretty negligent. Sounds like one section of a popular class will be doing paper exams while other sections had Canvas-based "half points for 2nd attempt"-type exams earlier today. How soon before names & grades appear in data dumps?
This would be like TurboTax "scheduling maintenance" on April 14th in the US.

by asdefghyk

0 subcomment

Hundreds of 1,000s of students affected by this hack in Australia ( and no doubt other countries around the world ...) Its more than the 10,000s Australian students mentioned in article below ...
https://www.abc.net.au/news/2026-05-08/students-lose-access-...

by eiiot

2 subcomments

I'm a student at Stanford — this is hitting the whole school hard. Unlike a lot of schools on the east coast that are affected (Brown, Harvard, MIT) we are on the quarter system so we're just ending Midterms right now. We're also lucky enough to have our CS department entirely independent from Canvas, but most of my humanities classes are not so lucky. One art history class is having us submit our midterm papers by uploading to a google drive folder—another is pausing weekly quizzes. The main thing this has revealed is just how dependent students and teachers are on Canvas... I hope that this re-prompts discussions about moving off of a platform that was already (from a student perspective) not very good.

by corvad

1 subcomments

Canvas is handling this terrible. No communication, no status updates, etc. Also looks pretty bad their whole platform was compromised and not a single real report for the breach that already had happened. Wonder how long it will take for SLA violations and lawsuits to manifest, especially with most U.S. schooling having finals right now.

by SoftTalker

5 subcomments

So many universities used to run homegrown or on-prem student systems. This is the downside of consolidating in the cloud. If the infrastructure is compromised, it affects everyone, not just isolated or single installations. I wonder how they are feeling about that decision now? I guess they can say "not our fault" so they might be feeling better than if it was a vulnerability in their own system.

by thecatapps

2 subcomments

I remember when I was in high school (2016? 2017?), I found a super simple XSS in the assignment submission form and told the programming teacher. Canvas then proceeded to lock my account and got me my first (only?) detention. Good times.

by rahidz

0 subcomment

Goddammit. Anyone in the know, know if Parchment was also impacted by this potentially? They were acquired by Instructure a few years ago, and deal with a LOT of transcripts.
Edit: https://status.parchment.com/ says "While Canvas, Canvas Beta and Canvas test are currently unavailable, we are simultaneously monitoring all of our other product environments, including Parchment. We continue to see no reason to believe any Parchment resources have been impacted."

by matthewfcarlson

9 subcomments

I remember circa 2010 a friend of mine at college was like “blackboard sucks, let’s build something new”. At the time I poo pood the idea and lo and behold canvas came out a year later. Outside looking in, they been crushing it.

by exprez135

1 subcomments

The Canvas instance at the nearby university is now down (May 7, 4 PM Eastern), but was briefly displaying the message in this screenshot (1). The ransom message implies that today's problem is the second wave in an attack on Instructure after ignoring their first breach in recent days.
1: https://ibb.co/r29RjdnH

by sharkweek

6 subcomments

My wife is in grad school at a major university and is dealing with this right now the week of midterms for spring quarter.
I totally understand why a university wouldn’t want to bake their own learning portals but just feels like such a single point of risk to use third party solutions for something like this.
Back in my day… all we had was a school email via on-premise services. I guess we registered for classes in a web portal but that’s about it. The idea of online class was entirely foreign at the time. Ain’t nobody hacking a blue book.

by cocoacat

0 subcomment

Also here: https://news.ycombinator.com/item?id=48054386

by somebudyelse

2 subcomments

It looks like Instructure has been removed from the ShinyHunters website. Both the entry and the list of schools has been removed.

by tom1337

3 subcomments

> Canvas is currently undergoing scheduled maintenance
doesn't seem that scheduled to me

by SeanAnderson

3 subcomments

https://status.instructure.com/ implies Canvas became available again about thirty minutes ago from the time of this post.
Is this accurate? Or is this still an ongoing issue?

by incomplete

5 subcomments

yep, i work for a major university and our canvas instance is down. this is really, really bad.
edit: here's the list of impacted universities (unsure if they all have their canvas instances offline, but i'd be surprised if not): http://91.215.85.103/pay_or_leak/instructure_affected_school...

by tptacek

0 subcomment

The boy is a biochem PhD student at UIUC and reports that all their finals are now cancelled. "Is this good news?" I ask. "Yes. Everything coming up Milhouse."

by robertritz

1 subcomments

I'm shocked universities don't host their own LMS? At least large universities have the IT departments to do this. They host compute clusters, so they can certainly host an LMS.

by tech234a

0 subcomment

A post on the official Canvas forum: https://community.instructure.com/en/discussion/666027/ranso...

by bumblehean

0 subcomment

Hugs going out to the teams at Instructure working to fix this. I've been through a similar Ransomware attack (national news stories, lots of customers dead in the water, etc.), and it's about as bad a situation you can wind up in.

by orourke

0 subcomment

My son was in the middle of an exam and then his screen went black and it showed the message from ShinyHunters. Hasn’t been able to get back in since.

by OsrsNeedsf2P

1 subcomments

Somehow I have less distaste for ShinyHunters than I do for the companies who don't secure user data

by corvad

0 subcomment

Just learned the defacement page was hosted from instructure's own aws bucket so seems pretty bad.

by alexalx666

0 subcomment

Respect to Canvas sales team, its like microsoft level platform lock-in into low sec infra

by copperx

1 subcomments

https://archive.is/5v693

by krupan

1 subcomments

A college student I know just sent me a screenshot, he can't access canvas for his school at all

by acomjean

1 subcomments

I used canvas for some Harvard extension classes 10 to 5ish years ago. It worked Ok. Work distributed, grades posted. I didn't realized so many schools used it, or that it was all schools on one instance, which seems kind of nuts.
I lost access when I left as it was tied to my work email. I downloaded a lot, but there was still some useful stuff on the boards.
I wonder what the havkers found out about me. Perhaps the class notes will be lifted to train AI, higher quality than a lot thats on the internet anyway.

0 subcomment

by spmartin823

0 subcomment

One thing I remember from my days in the LMS world is that obfuscated copies of prod tenants were used for testing. Almost every dev had at least one tenant from prod on their local computer. So with some de-obfuscation at least some of the data is plausibly retrievable. Whether that data is also public depends on how the negotiations go.

by bagels

4 subcomments

It's been a long time since I was in school. What does this software do?

by kristianp

1 subcomments

Qld, Australia was also affected: https://www.itnews.com.au/news/qld-gov-says-students-staff-c...

by poopmonster

0 subcomment

Student at an impacted university here.
Our whole testing center is down. This is inconvenient, but mainly it's amusing. I swear strangers are talking to each other more. I'm noticing people just sitting in the sun and relaxing. Nature is healing.
(Of course, plenty of people have also just finished their exams, so it's hard to know the cause.)
Any idea what data Instructure-and-also-now-ShinyHunters even purport to have beyond names, profile photos, pronouns, homework assignments, school communications, phone numbers, and email addresses?
i.e. What makes this threat so different from what any old data brokers have already scraped?
What leverage besides aura farming do the ShinyHunters really have?
All I can think of that's really valuable is passwords. And private communications in Canvas DMs. But if you're being at all intimate over your school email, that's kinda on you.
Anyway surely Instructure only stores user public keys or something?
Alternate history question: If they just sold the data, never revealed the hack, and didn't make a scene, from a customer perspective, how different would this be from business as usual?

by bigfatkitten

3 subcomments

I use Canvas for some postgraduate studies, and my teenage daughter uses it at her high school.
We already bond over how awful the Canvas UX is (and she has a bunch of Chrome extensions to improve it.) Now we’ve got something else to gripe over together.

by ThrowawayR2

3 subcomments

I wonder when the public is going to start calling for corporate liability for malpractice in software development and corporate liability for malpractice in IT deployments. Even if the tech industry fights it, it probably won't be that much longer.

by danso

2 subcomments

I wonder how much old data Canvas keeps around? Are students who graduated in 2016 going to be at risk of having their academic data leaked?

by plasma_beam

0 subcomment

Our public school system here in Maryland got hit, ransom screen.

by rosie54

0 subcomment

Tbh this is extremely annoying for high school/college students too. High schools are in the middle of AP tests, and many universities have yet to finalize grades, so overall this is a terrible time for this to happen. After the first issue a few weeks ago Canvas should have upped their security and prepared for another attack. They also should provide better communication. If Canvas is down for more than a few days, many schools and universities will have a lot of trouble when it comes time to publish course grades.

by goryramsy

0 subcomment

Down for all students at my University… it’s going to be a headache for all professors to deal with extending due assignments.

by eatmyshorts

1 subcomments

My daughter says that Northeastern is also affected. Is it more widespread? Did they infect all SaaS Canvas universities?

by skeaker

2 subcomments

Pretty cruel to do this right around finals.

by flashman

3 subcomments

What's in the files they've already released? Some of them are > 800GB.

0 subcomment

by owlboy

1 subcomments

I’m not surprised. Canvas kind of sucks. And their development is slow. And they are poor at communicating during mundane events.

0 subcomment

by thatxliner

0 subcomment

I remember this group did something else a while back too.

by Telaneo

0 subcomment

Great. More data gone astray. Given Canvas' handling of the situation, I doubt they're going to learn much.
The timing probably isn't a coincidence. Great time to stress out students and staff alike. Hopefully it doesn't affect them too much in the end, but I imagine it will.

by vondur

1 subcomments

It looks like every CSU System is on the list (California State University). Surprised this hasn't hit the front page yet.

by podiki

2 subcomments

And grades are due in the next week or so for many of these (usually a quick deadline at the end of the semester due to graduation happening)...

by corvad

1 subcomments

Some instances seem to be recovering. I wonder if a ransom was paid.

by incomplete

0 subcomment

i work tech at a university that's impacted by this. while it doesn't impact me directly, many many other staff and instructors i know are heavily affected by this outage. the students are absolutely outraged, mostly because the university hasn't been providing updates as quickly as they'd like, but since the staff/admin are waiting on word from instructure -- and there hasn't been a lot from them, it just generally sucks for all of us.
this is really, really, REALLY bad. it's not great that names/emails/etc will potentially be leaked, but also private messages between students and instructors. and since many of the campus systems rely on canvas integration, things have pretty much ground to a halt a week before finals.
after they were breached on the 1st of this month, instructure had an announcement yesterday that "everything is great! we're good! hackers are gone! we've rotated our keys!".
no. nothing is great. we are not good.

by avs733

1 subcomments

It is absolute chaos at my institution. This is the last day of finals and grades are due Monday morning. Most faculty are spending today, tomorrow, and through the weekend finalizing grades.
What we don't have access to includes:
* Already graded work
* Ungraded work
* overall adn assignment grades
* lists of students and student emails from the course
* messages from students that are often sent through gradescope
Just...complete implosion.

by daledavies

0 subcomment

Eek I bet there are a few people at Instructure who won't be getting much sleep tonight!

by 0xbadcafebee

0 subcomment

Nothing to see here folks. Just another predicable data breach from allowing companies to do whatever the hell they want with sensitive personal information.
This will keep happening, more and more, and never stop, until we create a software building code and legally require it for all online businesses.
Universities, Parents: ya'll actually have the political and economic power to get a software building code passed. This incident isn't the last.

by nektro

0 subcomment

going after systems that affect students is beyond bad taste

by wg0

0 subcomment

You learn all the technical details only to harm people like that instead of making a modest and honest living.
Shame on your existence basically.

by gigel82

1 subcomments

Damn, all schools in our district in Washington moved to Instructure last year.
They moved away from Teams because it objectively sucked, but I haven't heard of widespread compromises like this in Microsoft's systems so...

by jrm4

0 subcomment

Canvas shouldn't exist in its current form, and neither should have Blackboard.
It's always been as stupid as requiring that your chalkboard, chalk, chairs, bluebooks, pens, paper, gradebook etc etc all come from the same company.
I, for one, am very much looking forward to my IT Gov council meeting tomorrow.

by SilverElfin

0 subcomment

Terrible that this affects children and that their information may be ultimately leaked. They need to be greater consequences in the law for security breaches.

by vinni2

2 subcomments

I hate Canvas. I would rather run a course on GitHub. But our university forces it on us. And now this.

by swatson741

0 subcomment

I saw this happen to my Canvas account today. At first I thought it was a prank from the school or Instructure. The message was sent to students which makes no sense. Second, the message that was sent basically implies that ShinyHunter is actively getting patched out, and no one is ever going to give into their demands. They're basically saying that they're done and desperate. It's a strange message for ShinyHunter to send, but I think they were trying to pull off a psyop / FUD.
Looking into the payload they sent me this is how they hijacked the screen. Everything in the payload is unchanged except for one line of code:
<link rel="stylesheet" href="https://instructure-uploads.s3.amazonaws.com/account_9363000..." media="all"/>
This links to the following styling sheet:
@import url('https://fonts.googleapis.com/css2?family=Orbitron:wght@500;7...');
html, body { height: 100% !important; overflow: hidden !important; margin: 0 !important; padding: 0 !important; }
body > * { display: none !important; }
body { display: flex !important; align-items: center !important; justify-content: center !important; background: #07080c !important; }
body::before { content: "" !important; position: fixed !important; inset: 0 !important; z-index: 999998 !important; background: radial-gradient(ellipse at 50% 20%, rgba(255,59,59,.06), transparent 55%), radial-gradient(ellipse at 50% 85%, rgba(125,70,152,.04), transparent 45%), repeating-linear-gradient(0deg, rgba(255,255,255,.035), rgba(255,255,255,.035) 1px, transparent 1px, transparent 3px), #07080c !important; pointer-events: none !important; }
body::after { content: "\A\A" "S H I N Y H U N T E R S" "\A" "rooting your systems since '19 ;)" "\A\A\A" "ShinyHunters has breached Instructure (again)." "\A" "Instead of contacting us to resolve it they" "\A" "ignored us and did some \201Csecurity patches\201D." "\A\A" "\26A0 W A R N I N G" "\A\A" "If any of the schools in the affected list are" "\A" "interested in preventing the release of their" "\A" "data, please consult with a cyber advisory firm" "\A" "and contact us privately at TOX to negotiate a" "\A" "settlement. You have till the end of the day by" "\A" "12 May 2026 before everything is leaked." "\A\A" "Instructure still has until EOD 12 May 2026" "\A" "to contact us." "\A\A" " \25BC DOWNLOAD AFFECTED_SCHOOLS.TXT \25BC" "\A" "91.215.85.103/pay_or_leak/" "\A" "instructure_affected_schools_list.txt" "\A\A" "visit us: shnyhntww34phqoa6dcgnvps2yu7dlwzmy5" "\A" "lkvejwjdo6z7bmgshzayd.onion" !important;
```
    position: fixed !important;
    z-index: 999999 !important;
    top: 50% !important;
    left: 50% !important;
    transform: translate(-50%, -50%) !important;
    white-space: pre !important;
    text-align: center !important;
    font-family: 'Fira Code', 'Share Tech Mono', monospace !important;
    font-size: clamp(10px, 1.4vw, 14px) !important;
    line-height: 1.55 !important;
    color: #c8dce8 !important;
    background:
        linear-gradient(180deg, rgba(255,255,255,.05) 0%, rgba(255,255,255,.01) 3.2%, transparent 3.2%) !important;
    background-color: #0d0f16 !important;
    border: 2px solid #ff3b3b !important;
    border-radius: 14px !important;
    padding: 16px 32px !important;
    overflow: hidden !important;
    box-shadow:
        0 0 35px rgba(255,59,59,.2),
        0 40px 90px rgba(0,0,0,.65),
        inset 0 0 0 1px rgba(255,255,255,.06),
        inset 0 0 50px rgba(255,59,59,.03) !important;
    animation: pulseWarn 2.5s infinite ease-in-out !important;
    max-width: 94vw !important;
    text-shadow: 0 0 6px rgba(200,220,232,.15) !important;
```
}
@keyframes pulseWarn { 0% { box-shadow: 0 0 20px rgba(255,59,59,.15), 0 40px 90px rgba(0,0,0,.65), inset 0 0 0 1px rgba(255,255,255,.06); } 50% { box-shadow: 0 0 55px rgba(255,59,59,.4), 0 40px 90px rgba(0,0,0,.65), inset 0 0 0 1px rgba(255,255,255,.06); } 100% { box-shadow: 0 0 20px rgba(255,59,59,.15), 0 40px 90px rgba(0,0,0,.65), inset 0 0 0 1px rgba(255,255,255,.06); } }
The hack is crude, and it seems unlikely that they have any access to Instructure's developer tools.

by aibudaev

0 subcomment

[dead]

by boxingdog

0 subcomment

[dead]

by quiint

0 subcomment

[dead]

by cindyllm

0 subcomment

[dead]

by artificialLimbs

0 subcomment

[flagged]

by infrapilot

2 subcomments

[flagged]

by aaronsung

1 subcomments

At the same time, Aussie tech giant pauses work, devotes entire week to AI Design software giant Canva has halted normal operations across its 5300-strong global workforce for five days of nothing but AI learning and hackathons, bucking the global wave of technology giants that have slashed jobs, citing the technology. https://www.smh.com.au/technology/aussie-tech-giant-pauses-w...