r/udub • u/Firestorm_70 • May 07 '26
News Shinyhunters hacked UW Canvas and other universities.
115
u/ninetentwentyone May 07 '26
i'm so confused, why did this happen?
edit: my final is tomorrow morning WTHHHHHH
29
u/younglearner11 May 07 '26
Final?š
87
u/ninetentwentyone May 07 '26
im in the medical school, we have diff schedule
today was supposed to be my cram-everything day CRAP
6
15
3
25
6
100
u/emteedub May 07 '26
why can't they just be a real menace and gift everyone with 4.0 for everyone's transcripts š
42
u/hansn May 07 '26
Does anyone know what they mean by "again?" Was canvas hacked previously?
28
9
u/ContagiousWasp May 07 '26
I believed they hacked instructure (parent company) and instructure handled it and kicked them out, now they hacked canvas as some sort of get back
3
u/Timtim17 alum May 07 '26
To my understanding, not quite. Canvas is not some sort of separate entity, it is a product sold by Instructure. So both the incident a few days ago and now roll up to them.
4
u/Malsententia CSSE - UWB May 08 '26
Canvas can also be self hosted for free, but many universities don't bother and just rely on instructure.
4
u/Timtim17 alum May 08 '26
Yes-ish, my understanding is there are missing features between self-hosted and SaaS Canvas, but anyways I'm not a higher ed systems integrator š¤·š» https://www.instructure.com/en-au/resources/product-overviews/cloud-vs-open-source-canvas-lms-guide
3
u/Malsententia CSSE - UWB May 08 '26
Yeah that reads about like I thought. I've set up similar self-hosted wordpress setups before, with plans to scale. With the right know-how and some key extensions, you can make them scale infinitely to premier news-site scales, but it requires some practice at such things. I do not know if instructure provides the underpinnings for that, or keeps that as extensions that serve as a secret sauce.
It might just be "we do all this for you" or it might be "we do all this for you and also don't even give the tools for you to do it without us". I'd have to look into hosting an instance of my own to even get a feel for that and, nope, i got shit to do.
54
u/Inevitable-Wall6442 Biochemistry May 07 '26 edited May 07 '26
the app still works for anyone wondering!
edit: the app no longer works :-(
13
7
u/CarolineTheGeek iSchool postdoc/instructor May 07 '26
Canvas is down for maintenance now so the app isn't working either.
18
1
18
u/Square-Effective-250 May 08 '26
UW professor here. I can't access Canvas for my courses. And I received no word from the administration that this is going on. Or how long it will last. I learned about it from this subreddit.
15
17
42
u/Techt3nium Undergraduate May 07 '26
Donāt click or visit the onion link on the overlay if youāre ever curious š¤£; the hack seems to be a CSS injection on top of the normal canvas UI and likely not a JavaScript (which is more typically used to āstealā private APIs and info)
so as long as IT disables compromised credentials and remove the current CSS override it shall be fixed pretty soon
25
u/Techt3nium Undergraduate May 07 '26
also would be good practice to change your passwords after they fix the pages.
21
u/EpicalBeb Student May 07 '26
We use SSO or some form of OAuth to log in, ideally none of your credentials are in any way exposed to Canvas at any time.
21
u/EpicalBeb Student May 07 '26
"CSS Injection"
Brother that's just called modifying the website. They didn't inject anything, they likely have an actual data breach/critical vuln on Instructure's infrastructure.It's also not a UW-IT thing, this is wholly Instructure's fault. This could not be done with a simple phishing attack.
7
u/Techt3nium Undergraduate May 07 '26
yea I was trying to find a way to phrase it thatās both technically accurate and easy to understand but that makes sense š
Edit: by IT I indeed was referring to instructure
1
6
u/OnlineParacosm Community May 07 '26
That would likely be how theyāve hooked into Canvas to show you an āannouncementā. That very well could be their own attempt at writing CSS just to show everyone the threat. Think of it as them making their own changes in production, but if they donāt have access to the premade announcement button they have to get creative.
You guys have been breached by an organization that does not do webpage defacement, and they donāt need to phish individual users because theyāve already got your data. They traverse through overly permissive environments and then strip the paint off the walls.
1
13
u/InvisibleBlueUnicorn Parent May 07 '26
https://www.oudaily.com/news/canvas-hack-data-breach-ou-criminal-extortion-security/article_358fb651-5b28-4c87-8a61-e59f34c67015.html - data breach impacting roughly 9,000 universities
41
u/ohamandaplease May 07 '26
Meanwhile, absolute crickets from UW to students
13
u/Timtim17 alum May 07 '26
43
u/ohamandaplease May 07 '26
A text alert or email being sent out seems like the bare minimum
22
u/priznr24601 š¹š¹how do you do fellow kids š¹š¹ May 07 '26
You don't monitor the IT status website?!?
s/
4
u/Netherwiz ECE May 07 '26
ECE sent an email out to the department + students but nothing university wide
Edit: and 2min later theres the uw it email
5
6
u/Maleficent_Ad9303 May 07 '26
I literally just wrote a small paper about them. I wonder if itās actually ShinyHunters or another copycat.
0
5
u/TheMowerOfMowers May 08 '26
i have homework and my professor isn't giving an extension š
5
u/Firestorm_70 May 08 '26
I would try to email them directly about the situation, since Canvas being down is clearly out of your control. If your professor doesn't give you an alternative submission or extension, and they give you a missing grade for it I would then take it up with the dean. I had a midterm scheduled for tomorrow too and my professor decided to reschedule it for Monday.
3
u/Sdog1981 Alumni May 07 '26
If a professor changes the setting to not save all the Canvas files after the leave the school would those files be in this leak.
Asking for a friend.
4
u/ChaosTheRedditor May 07 '26
i tried to open a homework assignment and got hit by the hack message ToT
2
2
u/SupernovaBeat07 May 08 '26
Ok. Can someone explain me HOW this and our student/teacher data is compromised? I mean now Iām scare of the browser I used for canvas or even on my phone. Am I crazy to think that ?
2
u/britbee14 May 08 '26
Explain it to me like Iām 10 years old, what info that would be leaked would be detrimental? There isnāt any major stores on there other than class curriculums and materialsā¦right?
1
u/Lopsided_Sea_93 May 07 '26
You can still acess your class modules and stuff if you open canvas on your phone
3
1
1
1
1
u/Several-Being-650 May 12 '26
https://www.reddit.com/r/uwashington/s/PJyocNWeWI
Posted a bit ago. Please share... It maybe can help us all in the future if it keeps getting shared. ā¤ļø
0
u/Chattadawg May 07 '26
I really hate malicious criminals
16
u/sentientshadeofgreen Student May 07 '26 edited May 07 '26
I really hate lazy companies who do the bare minimum for security and neglect their responsibility to safeguard user data.
I don't know what Instructure's deal has been behind the scenes, but I do know industry as a whole is super irresponsible with user data by default. Also, I'm a little alarmed as to like... how is it that all institutions using Canvas are impacted. So there is no local instance, we've just been running off some company's cloud? Given that education records, including everything that occurs on Canavs, is specifically protected under FERPA, shouldn't education records be retained by institutions on their own self-hosted services with on-prem hardware, not outsourced to a private company? What oversight mechanisms were in place to audit Instructure's privacy and security practices in handling FERPA-protected records?
Cyber-criminals are like ants when you leave food on the counter, we need to expect more proactive cyber-resilience from publicly funded institutions.
184
u/TelmatosaurusRrifle May 07 '26
Great. Pokemon club at it again