If you’re a student, a teacher, or somewhere in the education field, you probably heard about the Canvas LMS hack.
Canvas, the Learning Management System (LMS) used by thousands of institutions worldwide, was breached by a hacking group called ShinyHunters. Nearly 9,000 schools were affected, making it the largest educational security breach on record.
Students logging in during finals week were greeted not by their coursework, but by a ransom note. I’m not sure what’s scarier. 😬
And this isn’t just a foreign problem. Canvas has a significant presence here in the Philippines. Reputable schools and universities like De La Salle University, Ateneo de Manila University, and University of Santo Tomas rely on it daily for classes, submissions, and communication. The University of the East confirmed it was among those affected, advising students and faculty to stay vigilant against phishing attempts that may exploit the situation.
What Actually Happened in the Canvas LMS Hack
The attackers exploited Canvas’s Free-For-Teacher account program, a feature that let educators create accounts without institutional verification. Because these accounts shared the same underlying infrastructure as institutional accounts, that loose entry point became a way in.
That one small gap exposed millions of records to the world.
Names, email addresses, student IDs, and private messages, compromised across nearly 9,000 schools from April 30 to May 7. The timing made it worse: the outage hit during final exam periods. Students and professors scrambled and schedules fell apart, just because one platform went down.
The Real Question Nobody’s Asking
We’re not here to pile on Canvas or Instructure. Cybersecurity incidents can happen to everyone, big and small alike. No platform is immune to these attacks
But this incident exposes something most schools and organizations skip when they adopt a new digital tool:
When something goes wrong, whose data is it? And who gets to decide what happens next?
Canvas is a cloud-based, centrally hosted platform. Thousands of institutions run on the same shared infrastructure managed entirely by one company. When that company gets hit, everyone gets hit simultaneously too, with no independent way out.
Your students’ records. Your teachers’ messages. Your institution’s data. All sitting on someone else’s servers, under someone else’s control. Yikes.
That’s not a flaw unique to Canvas. It’s just how most centralized platforms work. And it’s worth understanding before you commit.
Wait.. Isn’t Canvas Open Source?
Technically yes. Canvas’s code is publicly available on GitHub. And that’s worth acknowledging.
But here’s the distinction that matters: most schools don’t actually run their own Canvas. They use Instructure’s cloud-hosted version. The servers, the infrastructure, and the incident response all belong to Instructure, not the school.
Open-source code sitting on someone else’s servers is still someone else’s servers.
The breach didn’t happen because Canvas’s code is bad. It happened because thousands of institutions were sharing the same centralized infrastructure.
That’s the difference between open-source software and open-source ownership. You can have one without the other.
What It Actually Means to Own Your Data
There’s a different way to think about your digital platforms, the one where your school stays in control.
- Your data lives where you decide. Not on a shared server you’ve never seen. On infrastructure you chose, configured, and can check on anytime.
- You control what happens when things go wrong. You don’t sit and wait for a vendor’s status page to update. You act on your own terms, at your own pace.
- You’re not a domino. When a centralized platform goes down, everyone on it goes down together. Your own system is your own environment. What happens to someone else’s instance doesn’t have to happen to yours.
But Does This Make Open Source Automatically Safer?
Honestly no, and we want to be upfront about that. 😅
A self-hosted platform with outdated settings, weak passwords, and nobody maintaining it is not safer than a well-managed cloud service. Having control of your data only matters if you actually take care of it.
The better question isn’t “which platform is safer?” It’s: “Who’s responsible for our data here, and are we ready to take that seriously?”
Security isn’t a feature you turn on. It’s regular updates, proper backups, access controls, and knowing what to do when something goes sideways. No tool eliminates that work. Some just give you more say in how it gets done.
A Note for Philippine Schools and Organizations
Budget is always a reality here. Enterprise platform licenses aren’t cheap, and when those platforms get breached or go offline, you’re still paying while waiting for someone else to fix it.
Open-source tools work differently. The software is free. You choose your hosting. You own your data. And the cost of running it sustainably is often a fraction of a vendor-managed subscription.
That’s not cutting corners. For many Philippine schools, SMEs, and growing organizations, it’s actually the smarter, more sustainable choice.
A More Human Approach
At Hooman, we use open-source platforms because we believe the schools and organizations we work with should own their digital systems, not just rent access to them.
Affordable. Accessible. Built so that YOU (yes, you) are in control. Because when disruption happens (and it will) the goal isn’t to avoid it completely, the goal is to make sure you can keep going.
If this week’s news made you think “we should probably sort this out”. we’re here to help you figure out where to start.
Learn more about our LMS services at hooman.design/lms
