Just learned the defacement page was hosted from instructure's own aws bucket so seems pretty bad.