If anyone is bored this weekend - and wants to help the edu sector out in the wake of the Canvas LMS attacks - take a gander at the recently implemented and forthcoming security patches in Canvas LMS and see what you might glean.
-
If anyone is bored this weekend - and wants to help the edu sector out in the wake of the Canvas LMS attacks - take a gander at the recently implemented and forthcoming security patches in Canvas LMS and see what you might glean. Instructure - the company that was attacked - has provided scant technical details on how initial access and exfil happened - and as a result customers (schools and universities) are left unsure as to how to trust the software or what mitigations to put in place.
Instructure has said the attack was "carried out...by exploiting an issue related to our Free-For-Teacher accounts" https://www.instructure.com/incident_update
Precautionary UX changes made by Instructure in response https://community.instructure.com/en/discussion/666044/incident-change-log-for-may-2026
Instructure Enforcements, Deprecations, and Breaking Changes (which contain some upcoming security related changes): https://community.instructure.com/en/kb/articles/664261-instructure-enforcements-deprecations-and-breaking-changes
May be other threads to pull; this is being actively worked on by many.
Thank you!
-
If anyone is bored this weekend - and wants to help the edu sector out in the wake of the Canvas LMS attacks - take a gander at the recently implemented and forthcoming security patches in Canvas LMS and see what you might glean. Instructure - the company that was attacked - has provided scant technical details on how initial access and exfil happened - and as a result customers (schools and universities) are left unsure as to how to trust the software or what mitigations to put in place.
Instructure has said the attack was "carried out...by exploiting an issue related to our Free-For-Teacher accounts" https://www.instructure.com/incident_update
Precautionary UX changes made by Instructure in response https://community.instructure.com/en/discussion/666044/incident-change-log-for-may-2026
Instructure Enforcements, Deprecations, and Breaking Changes (which contain some upcoming security related changes): https://community.instructure.com/en/kb/articles/664261-instructure-enforcements-deprecations-and-breaking-changes
May be other threads to pull; this is being actively worked on by many.
Thank you!
@douglevin I have my theories. None of them good. Most involve crappy API key handling and OWASP Top 10 vulnerabilities in the front end for the exfil, but it has to be more than that for the defacing of the website. I have trouble letting go of them having access to the CI/CD pipeline to pull that off, which smells of something much different than what I can envision from their public info dumps.
-
@douglevin I have my theories. None of them good. Most involve crappy API key handling and OWASP Top 10 vulnerabilities in the front end for the exfil, but it has to be more than that for the defacing of the website. I have trouble letting go of them having access to the CI/CD pipeline to pull that off, which smells of something much different than what I can envision from their public info dumps.
Thanks for your insights.
@knapjack re: defacing see: https://news.ycombinator.com/item?id=48057532 (low confidence, but could be legit)
Many rumors of info stealers on login page, but near as I can tell it all goes back to this claim: https://old.reddit.com/r/sysadmin/comments/1t6m7e0/canvas_instructure_lms_seems_to_have_been_hit_by/okijzkm/ (which also is low confidence)
-
Thanks for your insights.
@knapjack re: defacing see: https://news.ycombinator.com/item?id=48057532 (low confidence, but could be legit)
Many rumors of info stealers on login page, but near as I can tell it all goes back to this claim: https://old.reddit.com/r/sysadmin/comments/1t6m7e0/canvas_instructure_lms_seems_to_have_been_hit_by/okijzkm/ (which also is low confidence)
@knapjack While some have claimed that the Canvas login page was 'hacked' - including most of the intial media reports - I suspect it was the compromise of a built-in broadcast messaging feature. (Though, I suppose it could be both, or something else all together.)
Reporter Joe Tidy (BBC) describes a report of how the delivery of Friday's exortion demand was experienced by active users:
Cyber Attack Disrupts Student Exam | Joe Tidy posted on the topic | LinkedIn
It's really hard to bring cyber attacks to life for the average reader. As my mum always helpfully reminds me - [in a Dudley accent] "cyber is bloody boring!". But I spoke to a student who's exam was literally interupted by the Canvas hack and it was one of those rare visual incidents that makes you wonder at the power of these cyber criminals. Oh and I asked Shiny Hunters if they cared about the impact and disruption they were having on people like Aubrey. "We don't have a comment about that", was the answer. https://lnkd.in/e76nRswq
LinkedIn (www.linkedin.com)
-
R relay@relay.infosec.exchange shared this topic
