Students lose Canvas access, data at risk after ransomware attack

Canvas is inaccessible for Cal Poly students following a ransomware attack that may have exposed the personal information of Cal Poly users.

Instructure, the parent company of Canvas, was attacked by the cybercrime group ShinyHunters, who claimed they have data from 9,000 schools and 275 million users, such as students, teachers and other staff, according to The Verge. The group left a message on the dashboard of student users of various schools claiming responsibility for the attack and threatening to leak user information.

“You have till the end of the day by 12 May 2026 before everything is leaked,” the message read, according to the Duke Chronicle.

In a student-wide email sent out yesterday, Campus Information Security Officer Kyle Gustafon said the Information Security Office (ITS) was aware of the breach and that user data such as “names, email addresses, student ID numbers, and user messages” may have been exposed. However, Gustafon said neither ITS nor Instructure could confirm whether Cal Poly users’ data was included.

Out of an abundance of caution, Gustafon encouraged community members “to remain vigilant for phishing or suspicious communications and to report any such activity to abuse@calpoly.edu.” 

When asked for comment, Cal Poly representative Keegan Koberl referred Mustang News to the California State University website. 

“Instructure is working diligently to gather more information and get systems restored,” the site reads.

ShinyHunters previously claimed responsibility for attacks on Ticketmaster, AT&T, Rockstar Games, ADT and Vercel, according to The Verge.

This is a developing story. Mustang News will issue updates as they become available.