A cybersecurity breach at the company behind the Canvas learning management system used widely across higher education institutions grew into a widespread outage Thursday that left students and faculty at dozens of California campuses locked out of an essential platform used to access coursework, readings and assignments during finals preparations.
The disruption at Instructure follows a breach disclosed last week in which a hacker group claimed it stole hundreds of millions of records tied to students and employees at roughly 9,000 schools in the U.S., Australia and Europe. The group ShinyHunters — which previously has claimed to be behind hacks of Ticketmaster and AT&T — is taking credit.
On Thursday, California students trying to log into Canvas instead got a message in white writing against a black backdrop:
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked.”
A UC Berkeley student shared a screenshot of the threat with The Times. By evening, the student said the login process was updated to redirect users to a page that said Canvas was “undergoing scheduled maintenance.”
A message from a group that claimed to have breached Instructure, the company behind Canvas, when a UC Berkeley student tried to login Thursday.
(Erin Rogers)
On its website, Instructure said Thursday afternoon that it had put Canvas “in maintenance mode.”
“We anticipate being up soon, and will provide updates as soon as possible” the company said.
On Wednesday the firm said Canvas was “fully operational and we are not seeing any ongoing unauthorized activity” after the attacks. The message said that the breach involved “names, email addresses, and student ID numbers, as well as messages among users,” but not passwords, dates of birth, financial information or “government identifiers.”
An Instructure spokesperson did not respond to a request for additional comment.
In California, the effects of the breach rippled across the state’s largest public and private institutions within hours Thursday.
Messages sent to campus communities at the University of California, California State University, Stanford University and the Los Angeles Community College District said students, staff and faculty were affected. USC also said it was working with affected students. The tech failures did not happen simultaneously. Many schools told teachers and students to avoid logging into Canvas.
It was unclear whether public school districts in California, some of which also use Canvas, were affected. The shutdowns appeared to hit California later than other universities and schools elsewhere in the nation. Public school districts in Utah and North Carolina reported outages earlier this week. Nationally, campuses including Harvard, Duke and the University of Pennsylvania reported similar outages.
As of Thursday evening, none of the California colleges indicated they knew of private student, faculty or staff data that was compromised.
UC officials said that Canvas would “not be restored until we are confident the system is secure.” A statement posted online Thursday evening said all campuses were told to “temporarily block or redirect Canvas access.”
At UCLA, the school-branded version of Canvas, Bruin Learn, was working normally in the morning before students said they were locked out by midday.
Titilope Olotu, a junior double-majoring in biology and women and reproductive health, said she used Bruin Learn to access and complete a quiz before her 8:30 a.m. class. By early afternoon, she could no longer find her course materials.
“Oh my gosh, it is so concerning. Almost every single person I know has been talking about it,” Olotu said. She said that she had a marine biology assignment due Friday and a midterm Monday in an evolutionary medicine course, and that she had not saved the readings offline, making for “a stressful morning.”
Sherry Zhou, a senior majoring in political science and communications, said the timing was difficult with major assignments due and many professors using Canvas to share readings and slide decks.
“I am actually in class right now and have a paper due tonight that I probably will have to turn in late because we have no access to the reading/course materials right now,” she said in a text message, referring to a digital humanities assignment worth a quarter of her final grade. By late afternoon, Zhou said she was relieved that her professor offered extensions and promised to share materials through another channel if Canvas was still down Friday
In an all-campus message late Thursday, UCLA officials said they had “proactively disabled local access to Bruin Learn out of precaution” while Instructure dealt with the outage.
At UC Berkeley, a campuswide message urged users not to log into Canvas. If logged in, they were told to close tabs “immediately without clicking any links.” The email, signed by Vice Provost for Undergraduate Education Oliver M. O’Reilly and Chief Information Officer Tracy Shinn, said the cyberattack was “impacting institutions and users globally.”
“Campus officials are exploring other paths for students and staff to access needed information. We recognize this significant disruption affects teaching and learning across campus. Students should await instructions from their instructors regarding temporary arrangements for submitting assignments and accessing course materials,” O’Reilly and Shinn wrote.
CSU officials wrote in a systemwide update that Canvas was down across all 22 campuses and at the chancellor’s Long Beach office. The message said that the situation was “fluid” and that officials were working with Instructure to determine the full scope of the outage.
A Stanford campus notice also said the system was down, adding that “we do not have an estimated time of service restoration.
In a statement, USC said that it was “working with the students and faculty in programs affected by the Canvas issue. We will continue to monitor this situation and keep our students and faculty updated.”
The Los Angeles Community College District said its nine campuses were hit. Patrick Luce, the district’s chief information security officer, said in a Thursday message to employees that students and faculty had begun seeing screens in Canvas claiming the attackers had stolen LACCD data, and instructed anyone logged in to log out immediately.
“There is currently NO EVIDENCE that LACCD’s internal systems have been compromised,” Luce wrote.
Times staff writers Terry Castleman and Lee Rogers contributed to this story.
