On April 30, a coordinated cyber attack disrupted Canonical's online services, causing outages for the Ubuntu website, Snap Store, and Launchpad. While the attack was significant, many core Ubuntu services remained operational thanks to redundancy. This Q&A explains the incident in detail and offers guidance for affected users.
1. What exactly happened to Ubuntu's online services?
A sustained, cross-border attack targeted Canonical's servers, knocking several key websites and services offline. The company first publicly acknowledged the issue around 6 PM UK time on April 30, stating they were actively working to mitigate the attack and restore services. The incident affected the main Ubuntu.com site, the Snap Store (where users download Snap packages), and Launchpad (the development collaboration platform). At its peak, many users saw error messages when trying to access these resources. Canonical later confirmed the attack was deliberate and ongoing, but did not immediately attribute it to any specific group. The attack did not compromise user data or system integrity, only availability.
2. Which Canonical services were affected by the attack?
The primary affected services were the Ubuntu website (ubuntu.com), the Snap Store (snapcraft.io), and Launchpad (launchpad.net). These platforms all rely on Canonical's central server infrastructure, which was directly targeted. Additionally, the main APT repository archive.ubuntu.com was temporarily inaccessible. However, Canonical's broader infrastructure includes numerous mirrors and redundant systems. For example, the Ubuntu One and Canonical's corporate site also experienced intermittent issues. Community forums like Ubuntu Forums remained online because they are hosted separately. Email services and internal corporate tools were reportedly unaffected. Users tried to access affected services experienced timeouts or error pages, but no data loss was reported.
3. Are Ubuntu's APT repositories still working?
Despite the attack, most APT repositories remained functional thanks to Canonical's distributed mirror network. The main archive.ubuntu.com server did go offline, but package updates continued to be available through regional mirrors automatically for users who had configured them. By default, Ubuntu systems are set to use archive.ubuntu.com, which would fail. However, the system automatically falls back to other mirrors (or users can manually switch mirrors). Additionally, the security repository (security.ubuntu.com) and the Ports repository (for ARM, etc.) were also mirrored and remained accessible. The key takeaway is that while the primary server was down, the distributed architecture prevented a complete outage for package updates.
4. Can users still download Ubuntu ISO images?
Yes, users could still download Ubuntu ISO images during the attack. Canonical hosts ISO images on a separate content delivery network (CDN) that was not affected by the attack. Additionally, many third-party sites and educational mirrors continue to host Ubuntu ISOs, providing alternative sources. The releases.ubuntu.com page was also accessible. This meant that new installations or upgrades via ISO were not disrupted. However, users trying to download from the main Ubuntu website may have encountered redirect issues, so Canonical advised using direct links or trusted mirrors.
5. When did the attack begin and how long did it last?
Canonical first reported the attack at approximately 6 PM UK time on April 30. The attack appeared to be sustained, meaning it continued over several hours. While the exact end time was not officially announced, services began to stabilize within 24 hours. Some users reported intermittent connectivity for a day or two after the initial onset. Canonical's engineers worked through the incident, implementing mitigations like additional filtering and load balancing. The company issued periodic updates via its status page and social media, informing users of progress.
6. How is Canonical responding to the situation?
Canonical described the event as a "sustained, cross-border attack" and promptly assembled an incident response team. They began working to block malicious traffic and reinforce server defenses. The company communicated via its status page and Twitter, urging patience and providing workarounds where possible. For example, they directed users to use alternative mirrors for APT and pointed to direct ISO download links. As the attack subsided, Canonical conducted a post-mortem analysis to identify weaknesses and improve resilience. They thanked the community for support and offered a timeline for full restoration. No data breach was reported, and user safety was never compromised.
7. What does a "sustained, cross-border attack" mean?
The phrase indicates a coordinated cyber assault originating from multiple countries and persisting over a prolonged period—not a brief or localized incident. "Sustained" means the attack lasted for hours or days without pause, unlike a quick denial-of-service spike. "Cross-border" suggests traffic came from servers in different geographic regions, making filtering more challenging. This type of attack typically aims to overwhelm servers with traffic or exploit vulnerabilities from varied sources to evade simple IP blocking. Canonical used this specific language to highlight the severity and complexity, emphasizing that it was a deliberate attempt to cause extended disruption rather than a random glitch.
8. What should Ubuntu users do if they need to update or install software?
If you encounter errors with apt update due to the attack, the simplest fix is to switch your APT mirror to a working alternative. Ubuntu automatically selects mirrors based on location. To change it manually:
- Open Software & Updates from the settings menu.
- On the Ubuntu Software tab, change the "Download from" dropdown to a mirror (e.g., "US" or "Main server" may be different).
- Alternatively, edit
/etc/apt/sources.listand replacearchive.ubuntu.comwith a known mirror (likemirrors.kernel.org).
For ISO downloads, use releases.ubuntu.com directly. Avoid using the main website if it's slow. If using Snap packages, try again later, as the Snap Store was partially down. The community also provided temporary workarounds on forums.