Instructure Canvas data breach by ShinyHunters hits UC, CSU, USC, Stanford, community colleges

A cybersecurity breach at the company behind the Canvas learning program widely used in higher education grew into a major outage Thursday that left students and faculty at several California campuses locked out of a key platform used to access courses, readings and assignments during finals preparation.

Instructure’s disruption follows a breach disclosed last week in which a group of hackers said they stole hundreds of millions of records held by students and staff at about 9,000 schools in the US, Australia and Europe. The group ShinyHunters — which previously claimed to be behind the Ticketmaster and AT&T hacks — is in debt.

On Thursday, students in California trying to log into Canvas instead received a message written in white against a black background:

“If any of the schools on the affected list are interested in preventing the release of their data, please contact an online consulting firm and contact us privately at TOX to negotiate an agreement. You will have until the end of the day on May 12, 2026 before everything is leaked.”

A UC Berkeley student shared a screenshot of the threat with The Times. In the evening, a reader said the login process had been updated to redirect users to a page that said Canvas was “under scheduled maintenance.”

On its website, Instructure said Thursday afternoon that it had placed Canvas in “maintenance mode.”

“We expect to be up and running soon, and will provide updates as soon as possible,” the company said.

On Wednesday the company said that Canvas is “fully operational and we do not see any unauthorized activity going on” after the attack. The message said the breach involved “names, email addresses, and student ID numbers, and messages between users,” but not passwords, birthdays, financial information or “government identifiers.”

A spokesperson for Instructure did not respond to a request for further comment.

In California, the results of the breach emerged at major public and private institutions within hours on Thursday.

Messages sent to campus communities at the University of California, California State University, Stanford University and the Los Angeles Community College District said students, staff and faculty were affected. USC also said it is working with affected students. The technological failures did not happen all at once. Many schools have told teachers and students to stay away from Canvas.

It was not immediately clear whether public school districts in California, some of which use Canvas, are affected. The shutdown appeared to hit California later than other universities and schools elsewhere in the country. Public school districts in Utah and North Carolina reported the closure this week. Nationally, campuses including Harvard, Duke and the University of Pennsylvania have reported similar disruptions.

As of Thursday evening, no California college indicated it was aware of any private student, faculty or staff data that was compromised.

UC officials said Canvas “will not be restored until we are confident the system is secure.” A statement posted online Thursday evening said all campuses were told to “temporarily block or redirect access to Canvas.”

At UCLA, the school’s version of Canvas, Bruin Learn, was operating normally in the morning before students said they were locked out during the day.

Titilope Olotu, a junior biology and women’s and reproductive health double major, said she used Bruin Learn to access and complete quizzes before her 8:30 a.m. class. By late afternoon, he could no longer find study materials.

“Oh my god, it’s worrying. Almost every single person I know has been talking about it,” said Olotu. He said he had a marine biology assignment due Friday and Monday for the midterm for an evolutionary medicine course, and that he hadn’t done any offline reading, which made for a “stressful morning.”

Sherry Zhou, a senior majoring in political science and communication, said time is tight with large assignments to be done and many professors use Canvas to share learnings and slide decks.

“I’m actually in class right now and I have a paper due tonight that I’m probably going to turn in late because we can’t get course materials right now,” she said in a text message, referring to a digital humanities assignment worth a quarter of her final grade. In the afternoon, Zhou said he was relieved that his professor had given the extensions and promised to share the material on another channel if Canvas was still available on Friday.

In a campus-wide message late Thursday, UCLA officials said they “forcefully disabled local access to Bruin Learn without caution” while Instructure was dealing with the outage.

At UC Berkeley, a campus-wide message urged users to stay off Canvas. Once logged in, they were told to close the tabs “immediately without clicking on any links.” The email, signed by Vice Provost for Undergraduate Education Oliver M. O’Reilly and Chief Information Officer Tracy Shinn, said the cyberattack is “impacting institutions and users around the world.”

“Campus officials are exploring other ways for students and staff to obtain needed information. We recognize that this major disruption is affecting teaching and learning across the campus. Students should await instructions from their instructors regarding temporary arrangements for submitting assignments and accessing course materials,” O’Reilly and Shinn wrote.

CSU officials posted throughout the program that Canvas is down on all 22 campuses and in the Long Beach chancellor’s office. The message said the situation is “fluid” and officials are working with Instructure to determine how things are going.

The Stanford campus notice also said the system was down, adding that “we do not have an estimated time for service restoration.”

In a statement, USC said it is “working with students and faculty in affected programs regarding the Canvas matter. We will continue to monitor the situation and keep our students and faculty informed.”

The Los Angeles Community College District said nine of its campuses were hit. Patrick Luce, the district’s chief security officer, said in a Thursday message to staff that students and teachers have started seeing screens on Canvas saying attackers had stolen LACCD information, and ordered anyone logged in to leave immediately.

“There is currently no EVIDENCE that LACCD’s internal systems have been compromised,” Luce wrote.

Times staff writers Terry Castleman and Lee Rogers contributed to this story.