Word came down from Cal Poly Humboldt today that professors and students have been locked out of Canvas, the cloud-based software that the whole university uses to manage assignments and grades and the like.

One professor who contacted showed us a message that she received when she tried to log in. It read like this:

S H I N Y H U N T E R S
rooting your systems since ’19 

ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some “security patches”.

A  W A R N I N G

If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked.

Instructure still has until EOD 12 May 2026 to contact us.

Soon after, this was replaced with a generic “system down for scheduled maintenance” message apparently posted by Instructure, the private company that provides the Canvas service.

Well. It turns out that Humboldt was just a small corner of this cyberattack, which has struck thousands of universities across the nation that use Canvas to manage their classes. Among them: College of the Redwoods, which had a “Canvas is down” banner across the top of its homepage as of this writing.

The California State University system has a page up monitoring developments. There’s really not a lot of information yet. Suffice to say, though: If this continues for very long, it’s going to be a very strange end to the semester.

Earlier today — before the outage — Cal Poly Humboldt sent out this message to professors:

Dear Faculty and Staff:

This is to inform you of a recent cybersecurity incident involving Instructure, the vendor that provides Canvas, Cal Poly Humboldt’s learning management system. 

We have been informed that the threat actor accessed data from many educational institutions worldwide stored at Instructure’s site that likely included information from the CSU. Instructure is still confirming what data may have been exposed, but based on their preliminary assessment, it may include personal information such as names, email addresses, campus ID numbers, and user messages.  At this time, neither Instructure nor we can confirm whether any individual’s data Cal Poly Humboldt was included. Canvas does not store passwords, Social Security numbers, financial information, or dates of birth. 

Canvas remains fully operational, and there is no evidence of an ongoing threat. Instructure has contained the incident, remediated the vulnerability, and continues to investigate in coordination with external forensic experts and law enforcement. 

Out of an abundance of caution, we encourage all community members to remain vigilant for phishing or suspicious communications and to report any such activity to security@humboldt.edu.

Password resets are not required at this time; we will notify you if that guidance changes. 

We are continuing to work with Instructure to determine the full scope of impact and will provide updates, including resources for affected individuals, as more information becomes available at (this link). If you have any questions or concerns, please contact ITS  Service desk at (707) 826-4357 or help@humboldt.edu.