Cyberattack disrupts Canvas at Cal Poly Humboldt, College of the Redwoods

A nationwide Canvas outage landed at the worst possible time for Humboldt County students, interrupting access to assignments, exams, grades and course messages just as Cal Poly Humboldt and College of the Redwoods moved into finals. For students trying to wrap up spring classes, the disruption threatened more than convenience. It touched the basic mechanics of the end of the semester, from last-minute instructor reminders to deadlines that can decide whether a paper, quiz or exam counts on time.

Cal Poly Humboldt said on May 7 that Instructure had told the university a threat actor accessed data stored at Instructure’s site that likely included CSU-related information. The university said the potentially exposed data may include names, email addresses, campus ID numbers and user messages. It also said Canvas does not store passwords, Social Security numbers, financial information or dates of birth, and that there was no evidence of an ongoing threat when it posted its update.

College of the Redwoods said on May 8 that Canvas services had largely been restored after the nationwide outage, but the timing still left the college managing finals pressure. The school said finals were continuing as scheduled and commencement and graduation-related events remained set to go forward. At the same time, faculty were asked to take the outage into consideration when handling assignments, quizzes, exams, deadlines and other course activities affected by the disruption. The college also warned students and employees to watch for suspicious emails, texts or links claiming to be from Canvas, Instructure or the college.

The scale of the incident extended far beyond Humboldt County. The University of California system said Canvas login pages showed a suspicious message from the threat actor and that access was temporarily blocked or redirected out of caution. Rutgers University said thousands of institutions were dealing with the incident and that access had been suspended during the exam period. The University of Wisconsin-Madison said Instructure disclosed on May 1 that the information involved could include names, email addresses, student ID numbers and messages among users, but not passwords, dates of birth, government identifiers or financial information. The University of Texas at Austin said the event was a vendor-level incident affecting thousands of institutions worldwide, not an attack aimed at UT Austin specifically.

Instructure said the incident was perpetrated by a criminal threat actor, that it was investigating with outside forensic experts and law enforcement, and that Canvas later became fully operational. It also told customers to enforce multifactor authentication on privileged accounts, review admin access and rotate API tokens or keys where applicable. For Humboldt County, the episode showed how quickly a cloud platform used for ordinary class management can become a single point of failure when finals are on the line.