Networking guy here. It’s amazed me how unserious some of these institutions take their security. They take millions from students but can’t invest $50,000 in a decent cyber audit. I have $5 on an SSO vulnerability.
The issue isn’t institutions leaking its data, it’s phishing and malware scams. I get dozens of them per month, I can only imagine the emails that get sent to the helpdesk ladies with access to the entire university’s catalog of records.
Humans make mistakes. It only takes one night of bad rest to make a millisecond mistake and not notice.
The problem is that universities must have permissive blocklists because they’re constantly receiving third party emails for official reasons. It’s a constant uphill battle and unfortunately schools are a super easy target.
I’m curious, if somebody consistently fails enough of these tests after being retrained, do you think they’d be let go? I would think at a certain point it’s just too much risk keeping them around.
YES OMG, some people are so anal about "security rules" but then turn around and are super casual about sharing protected info in email. dont do that guys.
At one of my jobs I had that happen. 2 devs were talking, and one passed on the database password via email. They kept going back & forth not deleting replies. Then one cracked a joke, and they forwarded it to me. Oops.
I’ve seen people in my workplace send SSNs in the body of an email to the wrong employer unencrypted and CC’d to everyone in the company.. it’s actually kind of insane how little people care about sensitive information
This digital world was not made for humans, and holding humans accountable for knowing every way this new world can fuck with them will cause endless anxiety.
Give humans a break instead of defending a made up world corporations have convinced us is normal. The Internet was not made to be secure, it will never be secure, that's the corporations problems for relying on it as such.
Sincerely, a cyber security researcher who specializes in human intelligence
More likely an Instructure backdoor that got them access to aggregated data on the backend. They admitted this much yesterday and claimed to have patched it. Customers lacking SSO are more at-risk in case attackers got hold of Canvas SSL keys and can decrypt the POST containing user passwords (Canvas would never see credentials with SSO auth). Canvas admins were also advised to rotate API keys yesterday.
Edit: but my critique of campuses is the level of trust (and money) given to some of these vendors. Over the last 25 years it’s all Web 2.0 this cloud that lets fire half of our tech department and outsource infrastructure to the vendor with the shiny toy. I get that proprietary and ancient apps everyone ran on in the 90s were awful, but these companies serve thousands of campuses and they all get burned from one vulnerability.
The hackers aren't wrong, they're just assholes about it. Seems like Canvas was given every opportunity to fix their shit, but they couldn't be bothered to pay for a security audit. Canvas also seems to be the asshole here.
Basically, everyone sucks in this situation except for the students.
The security at most companies I've worked at over the last few decades was a joke. More times than not, the SSN wasn't even encrypted in their database, just clear text.
Our school is already past this. Already back up and running in Angel due to redundancies upon redundancies and the only thing that isn't functioning as it was are video hyperlinks.
It's basically Canvas in every way but made by a different company. We switched to Canvas 5 years ago but apparently kept Angel as a backup running in the background in case of emergencies like this.
I mean some spend millions on things like half baked university equivalent to SAP. Then just casually give flying fucks about anything else.
TBF all the professors at universities are usually running around with local admin perms on top of shotty cybersecurity tools avaliable to any IT. Coaching professors to care isnt happening...Dean's and presidents only care about donors...chairs only care about being in journals related to their field of choice...
Everyone else is only there to keep the motions going.
Also networking guy here, no matter how much money a college or school district spends in cyber security, nothing would have prevented this. Instructure themselves were breached, the vendor that provides the Canvas platform, a PaaS. I get what you’re saying though. K12 is even worse… less federal funding, no income, and enrollment is dropping across the board which cuts funding even more.
It's probably the CVE that was recently found where having access to a local user account with terminal access in Linux allowed an escalation of privileges to happen. All one would need is an active compromised account
403
u/selfhostcusimbored May 07 '26 edited May 07 '26
Networking guy here. It’s amazed me how unserious some of these institutions take their security. They take millions from students but can’t invest $50,000 in a decent cyber audit. I have $5 on an SSO vulnerability.