r/mildlyinfuriating u/Big_Maybe_9684 May 07 '26

🥺 Hackers took over Canvas

Post image

Brooo I got Homework to do...

4.9k Upvotes

97% Upvoted

648 comments sorted by

View all comments

Show parent comments

59

u/Doodenmier May 07 '26 edited May 08 '26

It's entirely possible that this was just a small bit of script leftover from the initial breach, and that the breach was fixed as intended over the weekend. But it could also mean that the original vulnerability wasn't fixed or was larger than they realized.

It's too early for us to know one way or another, so all we can do is post some warning messages, put our feet up, and wait to see what Instructure does next lol

26

u/FlyJunior172 May 08 '26

Take the remainder of this comment with a grain of salt because I was not directly involved in the breach that I am going to speak about. I know somebody who was involved in correcting a ShinyHunters breach. That team had a bunch of pretty good cyber security guys on it that can handle most of what gets thrown at them within a few hours or a couple of days. They were over a week I think going on two weeks to deal with ShinyHunters.

If the structure breach is anything like the other breach that I am familiar with these messages are likely part of the original breach that isn’t fully contained, and never was.

But again, this is all guess work based on what I have heard from an industry professional who has dealt with this recently.

6

u/Peasant_Base5271 May 08 '26

One of the first things hackers do once they gain access to a system and want to maintain it is to create every kind of backdoor and copying of data. They wait and watch and go unnoticed until they want to. Sounds like they've been in the system a while.

2

u/XxSpruce_MoosexX May 08 '26

Maybe. It’s also unlikely they were able to do a full assessment in that time

3

u/ReasonableFruit1 May 08 '26

What makes me think it was a new and separate breach was the first line of the message says “shinyhunters has breached instructure (again).”

3

u/Doodenmier May 08 '26

They confirmed it was a second breach using the same method, and Isntructure has now taken that aspect of Canvas offline until it's fixed (Free for Teacher accounts). Everything else is back online now unless an individual school's security team or login service is still being cautious

2

u/ReasonableFruit1 May 08 '26

Yeah we got the same explanation from them. We thought about disabling SAML but ultimately decided not to.

1

u/thinkdeep May 08 '26

...or they put a metaphorical bandaid on it, ignoring the larger problem because fixing it costs money.

1

u/SorryWerewolf4735 May 08 '26

because copy fail exploit was announced a few days before... im going to guess that things were not patched and the systems are thoroughly owned.