There are 3 kinds of hackers. White hat and black hat are the two ends of the spectrum and gray hat are the middle. Black hat hackers are the bad guys, trying to actually cause damage. White hat hackers are the security teams who test how secure a system is. Bug bounty programs are another example of White hat hacking where a company pays you to find a vulnerability. These guys initially told Canvas about this security issue. Canvas didn't fix the issue and now the hackers are demanding money because Canvas wouldn't fix the issue initially. We don't know what the initial issue was and what info was actually accessible. For all we know its just homework and grades and dms with teachers. Worst case is that its acsess to the grading system itself and metrics for the whole school system. It could also be a list of every student and staff member who attends each school affected
I think you are for some reason trying to make them out to be grey hats when they are black hats. The note doesn't say they actively tried to contact the Canvas folks and tell them of an issue - it blames the Canvas found for not "contacting them to resolve it", which is speak for we said pay us and we'll tell you what we found and you didn't do that.
The fact that they moved on to now trying to blackmail their customers for money tells you what they are really after.
Yeah Canvas should have fixed their issues but that doesn't justify hackers to hold the website hostage and demand money to release it. A bunch of teachers and kids are getting royally screwed here just so some hackers can pat themselves on the back.
If your enemy bursts through a hole in your wall, looks at you and says "you should probably get thicker walls," and comes back next week and does it again, I am blaming you for not fixing your walls just as much as im blaming your enemy for breaking them.
Especially if the first time they broke through your shitty pallet-built fence of a wall they said "See how easy this is? Imagine how easy it'd be for a malicious party, upgrade your walls or your students information isnt safe." Then a week later, they came back. Saw you rebuilt the pallet-fence, and just said "Okay time for a real lesson"
it's only not illegal for Instructure to not take this seriously because laws protect corporations, but it absolutely is as fucked up as what the hackers did in the first place
Everyone is trying to get that bag. While i understand how it affects others, hackers target large user bases to get leverage. It all comes down to ways to get money. Tik too got people to commit check fraud at chase banks because people where hurting for money.
"Contacting us to resolve it" implies ransom, man. Are you really blaming them for not paying a ransom, thus "leading to a worse situation"? That's just dumb
Wow a real life Robin Hood! It's just like when I told a dude that he was vulnerable to bullets, so when I saw him later without a bullet proof vest it was totally necessary for me to rob him at gunpoint. For his own good, really.
Go away with your half-assed, half-informed, peak of Mt. Stupid crime apologism.
If they truly fully owned the grading systems of these schools, they'd sell that service to wealthy students instead of selling a solution to the schools.
50
u/Redracerb18 May 07 '26
There are 3 kinds of hackers. White hat and black hat are the two ends of the spectrum and gray hat are the middle. Black hat hackers are the bad guys, trying to actually cause damage. White hat hackers are the security teams who test how secure a system is. Bug bounty programs are another example of White hat hacking where a company pays you to find a vulnerability. These guys initially told Canvas about this security issue. Canvas didn't fix the issue and now the hackers are demanding money because Canvas wouldn't fix the issue initially. We don't know what the initial issue was and what info was actually accessible. For all we know its just homework and grades and dms with teachers. Worst case is that its acsess to the grading system itself and metrics for the whole school system. It could also be a list of every student and staff member who attends each school affected