Menu
Browse

Cyber Incident Victim: University of California, Berkeley

Date:

May 2026

Location:

United States of America

Summary

The Canvas learning management system was compromised by the hacking group ShinyHunters, which threatened to release stolen data unless a settlement was paid. The breach disrupted access to lectures, assignments, and exams for thousands of students across California, including those at the University of California, Berkeley, where many were unable to submit work or study during the crucial period before finals. University officials reported that the incident was contained and remediated, though they did not disclose whether any ransom was paid, and warned of possible phishing attempts exploiting the exposed information.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 3 techniques
Threat Actor Type Location
1 actor Available to members Available to members

Description

On May 1, Instructure notified educational institutions of a problem with its Canvas learning management system, and by the following Friday the attack had entered its second day, leaving thousands of students across California unable to access online lectures, take exams, or submit assignments. The disruption affected the University of California system, the California State University system, the state’s 116 community colleges, and numerous K‑12 schools, with officials confirming that emails, student identification numbers, and internal Canvas messages had been compromised while Social Security numbers, financial information, and passwords remained unaffected. UC Berkeley issued a notice stating that Canvas had largely been restored and that final exams would proceed as scheduled, while the California State University system reported that its Canvas services were back online but that it had not yet fully reintegrated campus systems or data connections with the platform. The statewide community college system adopted a similarly cautious approach, and the state chancellor’s office alerted colleges to remain alert to potential phishing or scam attempts. University of California officials described the breach as contained and remediated but said they were making risk‑based decisions about re‑opening Canvas, and neither UC nor CSU publicly confirmed whether they had paid the ransom demanded by the attackers.

Cyber Incident Image

At UC Berkeley, the incident coincided with Dead Week, a period when regular classes are suspended so students can focus on studying for upcoming finals, leaving many unable to use Canvas to share study materials or communicate with instructors. Graduate student instructor Sara explained that she intended to create a Google Drive to distribute reading materials and lecture slides but lacked a way to mass‑email the link to students without Canvas, resorting instead to emailing as many individuals as possible and asking them to share the resources with peers. Microbiology student Chiara Vinzoni described the atmosphere as one of widespread panic, noting that the timing of the shutdown during the week before finals was extremely frustrating. Computer science major Adrian Segura expressed particular concern not because he missed assignments in two English classes but because he feared his personal information might be leaked, a worry heightened by the fact that his surname means “secure” in Spanish and that he habitually inputs a false date of birth when prompted unless the request is medically or legally required, such as for university registration. The attackers, identifying themselves as ShinyHunters, had posted a message on Canvas threatening to release stolen data unless schools contacted them privately to negotiate a settlement, giving Instructure a deadline of May 12 to respond.

Cliff Steinhauer, director of information security at the National Cybersecurity Alliance, observed that the incident illustrates the danger of relying heavily on centralized platforms for critical educational operations, noting that when a system used by thousands of institutions fails during finals season the impact becomes a large‑scale operational disruption rather than an isolated IT problem. He added that even without exposure of highly sensitive financial data, educational records, communications, and identity information remain valuable to cybercriminals for phishing, impersonation, and future attacks. Throughout the episode, neither the University of California nor the California State University system disclosed whether they had satisfied the ransom demand, and the attackers’ message remained visible on affected Canvas screens until the service began to be restored.

Sources
Sources available to members
1 source