Canvas, the online education management platform used by thousands of educational institutions around the world, is back online for some California universities and schools on Friday, May 8, after a major data breach — with conditions.
The platform was taken offline across California, and the nation, on Thursday, May 8, amid a cyberattack involving a “criminal threat actor,” according to Instructure, the company that manages Canvas.
Colleges, universities, and even some K-12 school districts were left scrambling on Thursday to secure their Canvas platforms, inform students and faculty about the impacts, and figure out a solution as many students are in the midst of completing final assignments and preparing for final exams.
Instructure, in an incident report log posted on May 6, said that some information potentially at risk on account of the security breach included identifying information such as names, email addresses, student ID numbers and messages between Canvas users.
Canvas is used to manage digital learning across educational levels, and is home to course materials, assignments, grades, and other vital learning materials.
“At this time, we have found no evidence that passwords, dates of birth, government identifiers or financial information were involved. If that changes, we will notify any impacted institutions,” the Instructure log said.
Some social media users posted online Thursday, May 7, reporting that their access to Canvas had been blocked — and instead, they were shown messages from the apparent perpetrator of the attack, a group that identified itself as “Shiny Hunters.”
The message claims that Shiny Hunters will release the data it obtained from affected schools on May 12, 2026, unless Instructure or any of the impacted schools “consult with a cyber advisory firm” and contact Shiny Hunters “privately” to “negotiate a settlement.”
None of the impacted colleges or universities, nor Instructure, have confirmed the identity of the perpetrator of the attack as of Friday, May 8, though a representative for the company did confirm that the attack was perpetrated by an “unauthorized actor.”
“Yesterday, Instructure discovered the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in,” Brian Watkins, the company’s senior communications director, said Friday. “Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate.”
Instructure, Watkins added, has confirmed that the “unauthorized actor” was able to exploit a security issue in the platform’s Free-For-Teacher accounts, which allows educators to build courses, assignments, and other educational materials on the platform for free.
“As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts,” Watkins said. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use. We regret the inconvenience and concern this may have caused.”
While Canvas is largely back online, according to Instructure, many California educational institutions have yet to allow their users back onto the platform as of around noon on Friday.
All 116 colleges governed by California Community Colleges across the state have been impacted by the Canvas breach, a representative said previously, and the platform was taken down for all users as a result.
CCC also reported that some Canvas users, on Thursday, had received emails from the hacker group.
“The email claims hackers have been monitoring the user’s activity on web browsers and seeks payment in Bitcoin within 48 hours to have any compromising information deleted,” the CCC said on its website. “This is a scam and anyone receiving such a message should delete it immediately. Do not click on any links, open any attachments, download files, or respond.”
While Instructure has begun restoring access to Canvas for CCC schools, according to the group’s website, the investigation and security validation process was still not complete as of Thursday evening.
“Out of an abundance of caution, colleges are taking a thoughtful approach before returning to normal instructional use,” the CCC website said. “Thank you to our students, faculty, and staff for your patience and flexibility as we continue working with Instructure and campus teams to support a safe return to service. Please continue following guidance from your college for next steps.”
Canvas still appeared to be down for the California State University system, which serves more than 470,000 students across 23 campuses statewide, as of Friday afternoon. CSU officials did not immediately respond to a request for additional information about the status of the breach on Friday.
Some University of California schools, including UC San Diego, UCLA, UC Irvine, and UC Davis also appeared to still be grappling with the crisis as of Friday afternoon.
Functionality has been restored to Canvas for UCLA users, according to the university, as of around 9 a.m. Friday morning, but user access to the platform is still restricted.
“In alignment with UC guidance, UCLA is performing security assurance, configuration, and integrity checks before re-enabling access,” UCLA said. “An announcement on platform restoration will be shared when a decision has been made.”
The same goes for UCI, where Canvas functionality has been restored but is still inaccessible to students.
“Although Instructure has indicated that Canvas is available for most users, at this time UC Office of the President is seeking greater assurances from the vendor on both system safety and on the integrity of the data in it,” the university wrote. “We will share an update as soon as we have one, but access is unlikely to be restored until this afternoon at the earliest.”
For one cybersecurity expert, this global breach of Canvas is indicative of larger cybersecurity concerns for educational institutions — which are no strangers to becoming the target of hackers seeking a ransom.
The Los Angeles Unified School District, for example, was the victim of a massive cyberattack in 2022, which resulted in driver’s license numbers, Social Security numbers, psychological assessment records, and other sensitive information linked to thousands of students being leaked on the dark web.
Cliff Steinhauer, the National Cybersecurity Alliance’s director of information security and engagement, said in a Friday statement that the Canvas breach underscores why schools, universities, and colleges are often targeted by malicious hackers.
“Cybercriminals are increasingly incentivized to target large technology vendors and shared service providers because compromising a single platform can provide access to thousands of organizations at once, making it far more efficient and profitable than attacking individual schools one by one,” Steinhauer said. “This incident should serve as a wake-up call for both schools and technology vendors to strengthen vendor risk management, improve incident response planning, and treat cybersecurity as a core component of educational resilience.”
And, Steinhauer added, even though sensitive information like SSNs, driver’s license numbers, or financial information wasn’t compromised as a result of the Canvas breach, the data stored on the platform could still be useful to hackers.
“Even if highly sensitive financial information was not exposed, educational records, communications, and identity data can still be valuable to cybercriminals for phishing, impersonation, and future attacks,” Steinhauer said. “When a system used by thousands of institutions goes down during finals season, it demonstrates that cybersecurity incidents can quickly become large-scale operational disruptions, not just isolated IT problems.”
For updates about the Canvas breach, check the CSU, UC, and CCC websites.
This story is breaking. Check back for updates.