The University of California has temporarily blocked or redirected access to Canvas after Instructure, the maker of the learning platform, told UC officials that its systems were the target of a data breach and a hacker message appeared on the service.
Canvas — used by thousands of educational institutions worldwide — was shut down globally on Thursday after a message from a threat actor, identifying itself as ShinyHunters, appeared on the platform saying, “ShinyHunters has breached Instructure (again).” The message urged schools to contact the hackers privately to negotiate a settlement and set a deadline of the end of day May 12 before data would be leaked.
Instructure told the University of California that the breach occurred on April 25. The company said a criminal threat actor obtained data associated with customer accounts and that the data involved appears to include personal information but that it had found no indication that passwords, dates of birth, government identifiers or financial information were accessed. Instructure said the attacker was detected and access was revoked on April 29, and that additional suspicious access was revoked and an underlying vulnerability addressed on April 30. The company is posting status updates on its website.
The scale matters: Instructure has acknowledged that the incident is a nationwide issue affecting thousands of institutions, and investigators have cited figures tied to the event — 8,809 school districts, universities and online education platforms have been named in related disclosures, and roughly 275 million records have been referenced in reporting about the breach.
UC’s Office of the President instructed all UC locations to temporarily block or redirect Canvas access while campus cybersecurity teams coordinate with UCOP and Instructure to monitor and assess risks. UC said it will not restore Canvas access until it is confident the system is secure. UC is also warning faculty, staff and students to remain vigilant for follow-up phishing attempts and email scams that could arise from exposed account data.
Davis School District, which said it was informed by Instructure that it was among organizations potentially affected, confirmed that Canvas was down and that it would be restored as soon as the incident is resolved. The district told families that the Canvas instance it uses contains names, email addresses, student ID numbers and course information but does not provide sensitive items such as passwords, government identification numbers, birth dates or financial information.
Context matters here: Canvas is an online learning management system that hundreds of schools and universities rely on for course content, grades and communication. The loss of access interrupted classes and administrative functions across a wide set of institutions on Thursday and prompted a fast, centralized precaution from UC’s president’s office to prevent further exposure while teams evaluate the platform’s integrity.
The tension in the response is immediate. Instructure says it found no indicators of an ongoing threat after revoking access and fixing the vulnerability, and it reports that it did not see evidence that highly sensitive fields such as passwords or government identifiers were taken. At the same time, the apparent theft of personal information and the public hacker demand — including a May 12 deadline — introduced new urgency for universities and districts to cut access and warn communities about phishing. UC’s blanket block and the global outage underline that those reassurances have not been enough to clear the risk for campus security teams.
What happens next is clear and consequential: UC will keep Canvas blocked at its locations until campus and systemwide cybersecurity partners say the platform is safe; Instructure will continue posting updates; and institutions that use Canvas will need to watch for follow-on scams and communicate safeguards to students and families. UC has spelled out one firm rule to the community — it will never ask for passwords, Social Security numbers, birthdates or bank account information by email, text or phone — and it is urging everyone to treat unsolicited requests for information as suspicious.
For now, the safest assumption for students, parents and educators is that Canvas will stay offline at UC sites until independent checks of Instructure’s fixes and account integrity are complete, and that email vigilance should be raised until the May 12 threat window closes or the threat actor’s leverage disappears. Instructure and UC investigators remain the primary sources of updates; Instructure’s site and UC communications are the channels officials say they are using to share progress.
Readers looking for related coverage from this newsroom can find prior reporting on online controversies and public reaction in pieces such as Sisi Alagbo Eniola apologizes after intimate video sparks online outrage and other threads on how online incidents reverberate through communities.
