A cybersecurity breach at the company behind the Canvas learning management system widely used at institutions of higher education turned into a widespread outage Thursday, knocking out students and faculty at dozens of California campuses from an essential platform used to access coursework, readings and assignments as they prepare for finals.
The disruption at Instructor follows a breach revealed last week in which a hacker group claimed to have stolen millions of records belonging to students and staff at nearly 9,000 schools in the US, Australia and Europe. The ShinyHunters group — which has previously claimed to be behind the hacking of Ticketmaster and AT&T — is taking credit.
On Thursday, California students tried to log into Canvas but were met with a message written in white on a black background:
“If any of the schools on the affected list are interested in preventing their data from being released, please consult a cyber advisory firm and contact us privately on TOX to reach a compromise. You have until the end of the day, May 12, 2026, before everything is leaked.”
A UC Berkeley student shared a screenshot of the threat with The Times. By evening, the student said the login process had been updated to redirect users to a page stating that Canvas was “undergoing scheduled maintenance.”
On its website, the instructor said It put Canvas “in maintenance mode” on Thursday afternoon.
“We hope to have an update soon and will provide an update as soon as possible,” the company said.
On Wednesday the firm said Canvas was “fully operational and we are not seeing any unauthorized activity following the attacks”. The message said the breach included “names, email addresses, and student ID numbers, as well as messages between users,” but not passwords, dates of birth, financial information, or “government identifiers.”
A spokesperson for the instructor did not respond to a request for additional comment.
In California, the impact of the breach spread across the state’s largest public and private institutions within hours on Thursday.
Messages sent to campus communities at the University of California, California State University, Stanford University and the Los Angeles Community College District said students, staff and faculty were affected. USC also said it is working with the affected students. Technical failures did not occur simultaneously. Many schools asked teachers and students to avoid logging into Canvas.
It was unclear whether California’s public school districts, some of which also use Canvas, were affected. The shutdown appears to have hit California late compared to other universities and schools in the country. Power outages were reported in public school districts in Utah and North Carolina earlier this week. Nationally, campuses including Harvard, Duke and the University of Pennsylvania reported similar disruptions.
As of Thursday evening, no California colleges indicated they were aware of private student, faculty or employee data that was compromised.
UC officials said that Canvas will not be reinstated “until we are confident that the system is secure.” a statement Posted online Thursday evening said all campuses were asked to “temporarily block or redirect Canvas access.”
At UCLA, the campus learning portal, Bruin Learn, was operating normally in the morning before students said it was shut down by the afternoon.
Titilope Olotu, a junior double-majoring in biology and women’s and reproductive health, said she used Bruin Learn — the school-branded version of Canvas — to access and complete a quiz before her 8:30 a.m. class. By noon, he could not find his course materials.
“Oh my God, it’s so worrying. I know almost everyone is talking about it,” Olotu said. She said she had a marine biology assignment on Friday and an evolutionary medicine course midterm on Monday, and she had not saved the readings offline, leading to a “stressful morning.”
Sherry Zhou, a senior undergraduate majoring in political science and communications, said times were tight as major assignments were due and many professors were using Canvas to share readings and slide decks.
“I’m actually in class right now and I have a paper tonight, I’ll probably have to be late since we don’t have access to reading/course materials right now,” she said in a text message, referring to a digital humanities assignment worth a quarter of her final grade. By late afternoon, Zhou said she was relieved that her professor had offered an extension and promised to share the content through another channel if Canvas remained closed Friday.
In a campus-wide message late Thursday, UCLA officials said they had “proactively disabled local access to Bruin Learn out of an abundance of caution” while Instruct dealt with the outage.
At UC Berkeley, a campuswide message urged users not to log into Canvas. If logged in, they were asked to close the tab “immediately without clicking any links.” The email, signed by Vice Provost of Undergraduate Education Oliver M. O’Reilly and Chief Information Officer Tracy Shinn, said the cyberattack “is impacting institutions and users globally.”
O’Reilly and Shin wrote, “Campus officials are exploring other avenues for students and staff to access essential information. We recognize that this significant disruption impacts teaching and learning across campus. Students should await instructions from their instructors regarding temporary arrangements for submitting assignments and accessing course materials.”
CSU officials wrote in a systemwide update that Canvas was closed at all 22 campuses and the chancellor’s Long Beach office. The message said the situation was “fluid” and that officials were working with instructors to determine the full scope of the outage.
A notice from the Stanford campus said the system was also down, adding that “we do not have an estimated time for service restoration.
In a statement, USC said it was “working with students and faculty in programs affected by the Canvas issue. We will continue to monitor this situation and keep our students and faculty updated.”
The Los Angeles Community College District said nine of its campuses were affected. Patrick Luce, the district’s chief information security officer, said in a message to staff Thursday that students and teachers have begun seeing screens in Canvas claiming attackers have stolen LACCD data, and directed anyone logged in to log out immediately.
“There is currently no evidence that LACCD’s internal systems have been compromised,” Luce wrote.
Times employees terry castleman and lee rogers Contributed to this story.
