Update 05/07/2026 at 1:52 p.m.: This article has been updated to reflect the nationwide impacts of the seizure and Instructure’s status response page.
Update 05/07/2026 at 2:14 p.m.: This article has been updated to include ShinyHunters’ statement on the nationwide takedown of Instructure.
Update: 05/07/2026 at 3:40 p.m.: This article has been updated to include the campus’s system status update and student responses.
Update: 05/08/2026 at 3:15 p.m.: This article has been updated to reflect that Canvas is back online.
UC Berkeley’s learning management platform bCourses, the software that all 43,000 students use to access their class materials, has been seized by hackers. When some students attempted to log in Thursday afternoon, they were met with a red warning label, informing users that Instructure — the company that operates Canvas — has refused to pay a ransom.
In a statement to The Daily Californian, the black-hat cybercrime group ShinyHunters claims to have stolen “more than 600,000” UC Berkeley student and staff records and says it will leak them unless the campus pays a ransom.
Students’ access to Canvas was restored Friday afternoon, with campus officials advising that some may experience “intermittent performance as the bCourses platform stabilizes.”
The Canvas takedown affected hundreds of thousands of students nationwide as universities utilizing the Instructure service have seen their learning platforms pushed offline, with the same red warning message appearing on user screens.
Campus first acknowledged the cyberattack in a message from Vice Provost of Undergraduate Education Oliver M. O’Reilly Thursday afternoon. He told the campus community not to attempt to access Canvas through any browser or device and close browsers logged into Canvas immediately.
In a statement to the Daily Cal following the nationwide seizure, ShinyHunters said, “We urge Instructure to reach out and resolve this situation with us amicably.”
“Affected institutions also have the opportunity to reach out to us to prevent the release of the data since Instructure is being non-transparent and seemingly does not care for its customers,” ShinyHunters said. “All (data) will be leaked by 12 May 2026 except the ones that pay.”
Instructure’s software status website confirms the blackout, stating, “Canvas, Canvas Beta and Canvas Test are currently unavailable.” The company claims they are “investigating” the issue as of 2:41 p.m. PST.
Prior to this afternoon’s seizure, ShinyHunters told the Daily Cal the stolen information included “student and staff email addresses, names, student IDs, courses enrolled, and tons of private messages.” Students should be wary when attempting to log in to bCourses, as the group claims the current attack may use a different infiltration method and password entries could be stolen.
Campus spokespeople declined to comment on the breach prior to the seizure, and the UC Office of the President, or UCOP, spokesperson Stett Holbrook had said in a statement, “We believe that the Canvas platforms for several UC campuses may have been impacted by the recent breach by threat actors.”
“Although Instructure reports that Canvas is fully operational and is not seeing any ongoing unauthorized activity, we continue to monitor the situation and are evaluating next steps,” Holbrook said. “UC will provide updates on UCnet as more information becomes available.”
The group claims to have obtained these records from a massive, nationwide breach of the company Instructure and its student learning platform, Canvas, and threatens to publish the personal information of users from more than 7,000 schools and universities.
The Daily Cal has contacted the group and obtained a list of allegedly affected institutions via the ShinyHunters’ dark web breach site. The list includes multiple UC campuses, including UC Berkeley, UCLA, UC Davis, UC Riverside, UC San Diego, UC Irvine and the UC-operated online course provider for high school students, UC Scout.
The Daily Cal was unable to independently verify the reported number of stolen UC Berkeley student and staff records.
“I think all students are panicking right now,” said senior Maria Adame, a public health major. “I hope there are some accommodation for our finals if this goes on for a long period of time.”
O’Reilly said in the message that students should wait for more information from instructors on how to access assignments and course materials, adding that the campus is “exploring other paths for students and staff to access needed information.”
ShinyHunters says a ransom payment by Instructure can prevent the release of personally identifiable information of more than 275 million students, teachers and staff. While the ransom deadline was set to expire Thursday, the group has pushed it to May 12 because some institutions have engaged in ransom negotiations, according to an update on its dark web site.
While the campus Information Security Office, or ISO, and UCOP have released statements in the past week reporting a nationwide Canvas breach, neither has publicly confirmed that UC campuses were directly affected.
“Our demand was not even as high as you might think it is,” ShinyHunters wrote on its site. “(Instructure) seemingly does not care about all the students affected and the institutions impacted by this data breach.”
According to 2024 data, Canvas is used by 41% of higher education institutions in North America. All nine UC undergraduate campuses use Canvas, but notably, ShinyHunters’ list does not include UC Santa Cruz, UC Santa Barbara or UC Merced.
According to the ISO, Instructure notified the campus of the nationwide “cybersecurity incident” May 1, and the leaked information may have included “names, email addresses, student ID numbers, and messages exchanged in Canvas/bCourses.”
However, the ISO claims there is “no evidence” that the breach involved passwords, birthdates, government identification or financial information.
On Monday, some Turnitin services on UC Berkeley bCourses, the campus Canvas software, were impacted by an unplanned API key rotation during Instructure’s response to the breach, according to the ISO in a statement on its website.
“When I opened it, I wasn’t able to access content that will be pretty important for studying for finals, so it was pretty unfortunate,” said junior Leisha Devisetti, a computer science major.
ShinyHunters is a well-known hacker group responsible for numerous ransom attacks since 2020 and has previously targeted universities. In late 2025, the group stole alumni information from Harvard University, Princeton University and the University of Pennsylvania.
These attacks involve a “pay or leak” strategy, in which victims must hand over sums, often in the hundreds of thousands of dollars, usually in cryptocurrency, to prevent attackers from dumping the stolen information on the internet. According to TechCrunch, Harvard University and the University of Pennsylvania failed to pay in 2025, resulting in the leak of more than 1 million alumni and development records.
ShinyHunters declined to disclose how much money it is demanding from UC Berkeley or Instructure in order to prevent the release of stolen data.
“Make the right decision, don’t be the next headline,” ShinyHunters wrote on its site.
This is a developing story. Check back for updates.
Click Here For The Original Source.
