The attack targeted Canvas, a cloud-based digital hub for classrooms. UC and Cal State officials said they are monitoring the situation and gathering information as Instructure, the company behind Canvas, works to restore service. UC Berkeley said it was not directly targeted.
Universities and school systems across the country, from the University of Pennsylvania to Georgetown University to the the University of Oklahoma, reported a ransom note on the homepage of their schools' Canvas sites.
UC Berkeley sent a community-wide email instructing its students not to access Canvas until further notice: "We recognize this significant disruption affects teaching and learning across campus. Students should await instructions from their instructors regarding temporary arrangements for submitting assignments and accessing course materials."
Acalanes Union High School District sent a communitywide email informing families about a cybersecurity incident that disabled the Canvas platform. The district also reminded users, "Do not respond to suspicious emails, texts or login requests, do not share passwords or verification codes, and ignore unexpected account access requests."
Half of all college and university students in North America use Canvas or Canvas Career, parent company Instructure claims on its website, with more than 8,000 institutions as customers. Many of those students are in the middle of a busy spring finals week.
This is the second data breach this month among schools and universities. Hacking group ShinyHunters claimed responsibility for both attacks. In the note, reported by different student news outlets, the group demanded ransoms to prevent further data leaks.
"ShinyHunters has breached Instructure (again)," read a warning on a University of Washington student's account around noon PT, which was seen by CNN. "Instead of contacting us to resolve it they ignored us and did some 'security patches.'"
Instructure said on its website that Canvas was "in maintenance mode" late Thursday afternoon, adding that it was investigating the issue.
On May 1, in a different attack, Instructure said it "experienced a cybersecurity incident perpetrated by a criminal threat actor" but contained the situation the next day. But the company indicated that user names, email addresses and student ID numbers were breached.
"Instructure still has until EOD 12 May 2026 to contact us," Thursday's note said.
CNN has reached out to Instructure for comment.
The-CNN-Wire
& 2026 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.
ABC7 Eyewitness News contributed to this report
Stay with ABC7 News for the latest details on this developing story.