Canvas security breach disrupts San Francisco schools, UC systems statewide

A Canvas breach briefly cut into assignment access, grades and class messaging for San Francisco students and faculty, from San Francisco State University and UC Berkeley to K-12 districts across Northern California. In San Francisco, where SFUSD serves about 50,000 students a year and also functions as the County Office of Education, even a vendor outage can disrupt homework, parent communication and make-up work in a single afternoon.

Instructure, the company behind Canvas, said the unauthorized third-party access happened in late April 2026 and that the incident was resolved by May 6, 2026. The company said it was not seeing ongoing unauthorized activity and urged customers to enforce multi-factor authentication on privileged accounts, review admin access and rotate API tokens or keys where needed. California State University said Instructure told campuses that some personal information tied to user accounts may have been involved, but there was no evidence passwords, Social Security numbers, financial information or other highly sensitive data were compromised.

At UC Berkeley, the information security office said the problem was a vendor-level event affecting thousands of institutions worldwide, not a targeted attack on Berkeley. But the campus status dashboard showed a major-performance incident on May 7, 2026, and users trying to log into bCourses saw an error message saying ShinyHunters had breached the site. The University of California Office of the President was coordinating with Instructure, Berkeley said.

San Francisco State University’s Academic Technology office warned the campus on May 6 that the incident affected CSU campuses using Canvas, including Cal State East Bay, San Francisco State and Sonoma State. CSU’s Bay Area region also includes San José State, and the system says it has 22 campus colleagues in its Canvas consortium. For students, that kind of disruption can freeze access to homework, rubrics, gradebooks and announcements in the middle of a term, forcing instructors to shift deadlines and rebuild communication in real time.

The latest breach lands in a state with a long memory for school technology failures. A 2012 education-sector cyber breach delayed statewide STAR test results, a reminder that when one platform underpins classrooms across a region, a vendor problem quickly becomes a public problem. In San Francisco, where schools, colleges and county education services rely heavily on Canvas, the bigger question now is how much redundancy and security the next outage will require.