Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
Editorials & Other Articles
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
Canvas hack shuts down Learning Apps at MANY CAMPUSES, worldwide [View all]
The list goes on MIT, UW Madison, Penn, Harvard ... Just one article of many on this monster hack.
https://www.dailycardinal.com/article/2026/05/canvas-hack-shuts-down-operations-at-uw-madison-worldwide
Apparently, school websites are up but their LMS (Learning Management Systems) Instructure/Canvas software may be offline after being hacked.
ShinyHunters claims data theft from 8,800 schools
https://www.bleepingcomputer.com/news/security/instructure-hacker-claims-data-theft-from-8-800-schools-universities/
The hack halted all access to Canvas at 3 p.m. on May 7, just hours before University of Wisconsin-Madison's last day of finals.
Canvas shut down worldwide on May 7 after a hack by cybercriminal group ShinyHunters displayed a warning message that student data could be distributed if Instructure, Canvas' host, did not reach out to them by May 12. The message displayed across campus Canvases around 3 p.m., just hours before University of Wisconsin-Madison’s last day of finals.
In the pop-up message on Canvas, ShinyHunters encouraged affected schools to consult a cyber advisory firm and contact the group directly using instant messaging app Tox, before “everything is leaked” at the end of the day May 12.
"If Canvas prompts you to perform any action — such as clicking a link, logging in, resetting your password, or completing any tasks — do not proceed," UW-Madison advised on their information technology website.
The hack follows a May 1 hack of Instructure, Canvas’ host, that compromised student names, email addresses and ID numbers. The hack did not include passwords, dates of birth, government identifiers or financial information, according to an Instructure statement.
In the pop-up message on Canvas, ShinyHunters encouraged affected schools to consult a cyber advisory firm and contact the group directly using instant messaging app Tox, before “everything is leaked” at the end of the day May 12.
"If Canvas prompts you to perform any action — such as clicking a link, logging in, resetting your password, or completing any tasks — do not proceed," UW-Madison advised on their information technology website.
The hack follows a May 1 hack of Instructure, Canvas’ host, that compromised student names, email addresses and ID numbers. The hack did not include passwords, dates of birth, government identifiers or financial information, according to an Instructure statement.
https://cybernews.com/security/anvas-lms-breach-universities-data-leak/
Harvard, Oxford, and MIT named as hackers drop full Canvas breach victim list
The gang has now dropped the full list of affected educational institutions. The file contains approximately 8,809 educational institutions, including higher education institutions and high schools from at least 10 different countries.
snip
Among the victims are the most prominent educational institutions in the world, including:
Harvard Univesity
Stanford University
Massachusetts Institute of Technology (MIT)
University of Oxford
Princeton University
Columbia University
University of Cambridge (via Cambridge University Press entry)
Cornell University
UC Berkeley
Georgetown University
ShinyHunters has extended its ultimatum to May 7th, awaiting the company's response and a negotiation. The attackers threaten to publicly leak all the stolen data if the company does not negotiate.
The incident was contained, but the investigation is ongoing
On Saturday, Instructure Holdings, the company behind the widely used LMS, claimed that the incident had been contained, but the investigation is ongoing.
snip
Among the victims are the most prominent educational institutions in the world, including:
Harvard Univesity
Stanford University
Massachusetts Institute of Technology (MIT)
University of Oxford
Princeton University
Columbia University
University of Cambridge (via Cambridge University Press entry)
Cornell University
UC Berkeley
Georgetown University
ShinyHunters has extended its ultimatum to May 7th, awaiting the company's response and a negotiation. The attackers threaten to publicly leak all the stolen data if the company does not negotiate.
The incident was contained, but the investigation is ongoing
On Saturday, Instructure Holdings, the company behind the widely used LMS, claimed that the incident had been contained, but the investigation is ongoing.
Outsourcing your LMS (Learning Management System) Smart
NOT
I remember the very early days of LMS software and was an early advocate of the free and open source Moodle software package. These systems have gotten very complex and with complexity comes risk. This is like the MOVEit hack. MOVEit is a commercial software package used to transfer large files. Once a hack was found, it compromised every customer.
WAIT! MOVEit was hacked just last week.
https://www.thetechedvocate.org/urgent-moveit-vulnerabilities-expose-thousands-of-systems-to-critical-risks-heres-what-you-need-to-know/
According to Progress Software, the MOVEit vulnerabilities are particularly troubling due to the number of internet-connected devices currently running susceptible versions of the software. Reports indicate that over 1,440 devices are at risk, including 16 systems linked to state and local government agencies. This widespread exposure creates an immediate risk for thousands of organizations that depend on MOVEit for their critical file transfer operations.
Wikipedia:
MOVEit is a managed file transfer software product produced by Ipswitch, Inc. (now part of Progress Software).[3] MOVEit encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options. The software has been used in the healthcare industry by companies such as Rochester Hospital and Medibank, as well as thousands of IT departments in high technology, government, and financial service companies like Zellis.
Posted by a RETIRED I.T. Dude.
Commercial software.
What a shitshow.
5 replies
= new reply since forum marked as read
= new reply since forum marked as read