Is Canvas Still Down? Bay Area Schools Slowly Restore Access After Global Hack

Bay Area schools were working to restore access to Canvas on Friday after a cyberattack on the company behind the widely used learning platform left students and teachers around the world without access to homework and exams.

Stanford University, the California State University system and the Peralta Colleges — Berkeley City College, College of Alameda, Laney College and Merritt College — were among the institutions that had begun to restore the software’s use on Friday.

“The situation has been challenging, but people here in the East Bay are resilient,” Mark Johnson, a spokesperson for the Peralta Community College District, told KQED by email.

UC Berkeley said access “has largely been restored and final exams will proceed as scheduled.”

In a statement, Foothill and De Anza Colleges in the South Bay said their security team restored Canvas access at 1 p.m. Friday, and said the “attacker did not access core Canvas functionality, downloaded but did not have access to and make any changes to user data, grades, or course content.”

Instructure, the Salt Lake City-based company that develops and publishes Canvas, said early Friday that it had brought the platform back online, but many individual schools and groups that use the system were conducting their own checks before restoring access.

University officials said Friday that “in an abundance of caution, CSU has not yet fully reintegrated our campus systems or data connections with Canvas,” though they planned to do so by the afternoon after completing security protocols.

Students at all 116 California community colleges, along with thousands of K-12 schools, colleges and universities nationwide, rely on the learning software daily to view and submit assignments, take part in class discussions, access syllabi and learning materials, and take exams.

A black-hat hacker group named ShinyHunters took credit for the attack, though the group’s role has not yet been confirmed. On Thursday, students like Emily Mills, at City College of San Francisco, were greeted by what appeared to be a ransom note threatening to release sensitive information when they tried logging into Canvas to take their exams.

“Maybe it’s scheduled maintenance, maybe it’s ShinyHunters,” Mills joked in a post on X.

Heidi Skolnik, part-time faculty at Chabot College in Hayward, said she was teaching an in-person statistics course Thursday when a student showed her the hackers’ message.

“I didn’t really read it very carefully other than to see its threatening and really obnoxious tone, and really alarming dark colors on the screen,” she said.

Without access to Canvas to share course materials, Skolnik passed around a flash drive to all 20 students to download the data they needed for class to their laptops.

Skolnik said the experience made her reflect on how the experience must feel to community college students, particularly those who are only enrolled in online courses.

“This is so much a part of their world it seems,” she said,” scams and hacks and all of the privacy issues that come up in online spaces.”

In a statement, Instructure said it took Canvas offline Thursday after “the unauthorized actor involved in our ongoing security incident made changes to the pages that appeared when some students and teachers were logged in.”

The attack “exploited an issue related to Free-For-Teacher accounts,” company spokesperson Brian Watkins said in an email shortly after 1 a.m. Friday, referring to a demo program for educators whose schools weren’t Canvas users. After temporarily shutting down those accounts, Watkins said, the company restored access to Canvas.

According to the California Community Colleges Security Center, Instructure first detected the intrusion April 29, “immediately began containment, and confirmed the incident publicly over the following days.”

On Tuesday, CSU officials said Instructure’s CEO and chief security officer notified them of a data breach potentially compromising Canvas users’ personal information, but Canvas remained up and they said there was “no indication of ongoing risk.”

Two days later, it appeared the cyberattackers still had access to Instructure’s systems, posting the ransom messages to Canvas login pages.

Based on the investigation to date, there is no evidence that passwords, Social Security numbers, financial information, or dates of birth were involved, community college and CSU officials said.

According to Bloomberg, Instructure was slapped with at least seven federal suits this week, including six filed in the U.S. District Court for the District of Utah. KKR, a global investment firm that purchased Instructure in 2024 for about $4.8 billion, is a named defendant in a case filed in the Southern District of New York.

Sarah Powazek, a research program director at UC Berkeley’s Center for Long-Term Cybersecurity, said schools are a “treasure trove” of sensitive data, particularly that of minors. They’re also particularly vulnerable because there aren’t many education software vendors like Instructure, and they have a large number of users.

“These companies have a very high market share,” Powazek said. “Almost every school in the country at the K-12 level uses some combination of the same tools, which means that there’s a very high value for hackers that are able to intercept or get some sort of access to one of these products — because it means they won’t have access to just one school … they might be able to access the accounts of multiple schools across the country.”

Powazek and other cybersecurity experts said the attack highlighted education’s reliance on digital technology, which creates a single point of failure in the supply chain.

Cliff Steinhauer, director of Information Security and Engagement at the National Cybersecurity Alliance, said it should be a wake-up call.

“The Canvas breach underscores how deeply schools now depend on centralized digital platforms to keep day-to-day academic operations running,” Steinhauer said. “Even if highly sensitive financial information was not exposed, educational records, communications, and identity data can still be valuable to cybercriminals for phishing, impersonation, and future attacks.”

Powazek said the Canvas attack is similar to a 2024 breach of PowerSchool, one of the most widely used student information systems in North America. In that case, a Massachusetts college student was charged for the ransomware attack.

The stakes of both national incidents, she said, should encourage schools and private companies like Instructure to bolster their security profiles.

“When these services go down, it can impact the entire country’s day of school, which is a massive responsibility for those products,” Powazek said. “And I think it really hammers home how important it is. Some of these really technical cybersecurity controls on the backend can have a real impact on the day-to-day lives of most Americans.”