116 comments

[ 3.8 ms ] story [ 92.3 ms ] thread
A college student I know just sent me a screenshot, he can't access canvas for his school at all
The Canvas instance at the nearby university is now down (May 7, 4 PM Eastern), but was briefly displaying the message in this screenshot (1). The ransom message implies that today's problem is the second wave in an attack on Instructure after ignoring their first breach in recent days.

1: https://ibb.co/r29RjdnH

I use Canvas for some postgraduate studies, and my teenage daughter uses it at her high school.

We already bond over how awful the Canvas UX is (and she has a bunch of Chrome extensions to improve it.) Now we’ve got something else to gripe over together.

Our public school system here in Maryland got hit, ransom screen.
Eek I bet there are a few people at Instructure who won't be getting much sleep tonight!
Pretty cruel to do this right around finals.
And grades are due in the next week or so for many of these (usually a quick deadline at the end of the semester due to graduation happening)...
(comment deleted)
> Canvas is currently undergoing scheduled maintenance

doesn't seem that scheduled to me

So many universities used to run homegrown or on-prem student systems. This is the downside of consolidating in the cloud. If the infrastructure is compromised, it affects everyone, not just isolated or single installations. I wonder how they are feeling about that decision now? I guess they can say "not our fault" so they might be feeling better than if it was a vulnerability in their own system.
I hate Canvas. I would rather run a course on GitHub. But our university forces it on us. And now this.
I wonder how much old data Canvas keeps around? Are students who graduated in 2016 going to be at risk of having their academic data leaked?
Down for all students at my University… it’s going to be a headache for all professors to deal with extending due assignments.
It looks like every CSU System is on the list (California State University). Surprised this hasn't hit the front page yet.
Damn, all schools in our district in Washington moved to Instructure last year.

They moved away from Teams because it objectively sucked, but I haven't heard of widespread compromises like this in Microsoft's systems so...

My daughter says that Northeastern is also affected. Is it more widespread? Did they infect all SaaS Canvas universities?
I remember when I was in high school (2016? 2017?), I found a super simple XSS in the assignment submission form and told the programming teacher. Canvas then proceeded to lock my account and got me my first (only?) detention. Good times.
(comment deleted)
(comment deleted)
I wonder when the public is going to start calling for corporate liability for malpractice in software development and corporate liability for malpractice in IT deployments. Even if the tech industry fights it, it probably won't be that much longer.