Canvas Hack Disrupts Online Learning at California Colleges

A hack of the Canvas education platform disrupted access for more than 1 million California higher education students beginning May 7, 2026. The outage occurred as many University of California students prepared for midterms or final exams. Esther Mejia and Kelly Merchant, public policy students at UC Riverside, said they could not reach several professors for guidance after losing access to assignments, tests and required reading material.

Mejia said in an interview that this was a crucial time for students to access coursework and that professors should have reached out. Merchant learned of the hack on Reddit after being logged out while finishing an assignment. By Friday she had heard from only one professor, who created a Discord group earlier in the term and used it to share material for an assignment due the next day.

The attack appears to have begun on or around April 29 when Instructure detected unusual activity, according to a class-action suit filed in a Texas federal court. The company later disclosed that the breach exploited a vulnerability in Canvas’s free tool for teachers.

On May 4 some California State University campuses experienced a brief shutdown but returned to operation within 20 to 30 minutes. By May 7 the platform went offline across multiple systems. The University of California blocked access that day and stated on its website that Canvas would not be restored until the system was confirmed secure.

The hacker group ShinyHunters claimed to have obtained sensitive data including billions of messages and threatened to release it unless paid a ransom. Instructure’s CEO said core learning data such as course content, submissions and credentials was not compromised.

Cal State said Canvas does not store social security numbers.

The Cal State system enrolls more than 400,000 students while the UC system enrolls about 300,000. The Los Angeles Unified and Fresno Unified school districts, which enroll more than 400,000 students combined, were also listed as targets. The district enrolls nearly 200,000 students annually.

She said on May 9 that Instructure had not yet provided specific information about what data was accessed in the district’s system. By May 9 UC Riverside had mostly restored access, with other universities coming back online in the following days. m.

m.

The incident has prompted discussion about schools’ reliance on a single online platform for critical academic functions. Jake Chanenson, an education technology researcher and PhD student at the University of Chicago, said centralized software-as-a-service systems allow institutions without technical expertise to manage operations on one platform but create a single point of failure.

Chanenson said schools without dedicated technology departments may conduct only cursory privacy and security assessments of new tools. He added that when institutions put all their operations in one basket across schools it makes those systems attractive targets.

Sen. Melissa Hurtado, a Democrat from Bakersfield, called for a legislative audit of California’s reliance on Canvas. She stated that the breach exposes the growing risks of concentrating student records, academic systems and institutional operations into a single platform.

Schools may reassess how much information they entrust to third-party providers. Chanenson said companies should examine their data collection and retention policies to minimize the amount of sensitive information stored, noting that any dataset carries a non-zero probability of breach.

Past data breaches in the education sector have sometimes resulted in legal action against institutions or vendors.