
A criminal internet hacking group called ShinyHunters has hacked Canvas.
Canvas is run under the American technology company Instructure.
Citrus College emailed out to students, staff and faculty at 3 p.m., May 7, to not attempt to log into Canvas at this time, as “some indications that login credentials may be compromised if you attempt to log in.”
The notification that pops up for students who attempt to sign on to their Canvas accounts will be met with,
“A WARNING
If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026, before everything is leaked.
Instructure still has until EOD 12 May 2026 to contact us.”
A text file is provided that includes around 9,000 schools nationwide, Citrus College being just one of them.
“I received a notification that Canvas is down,” Henoch Perez, Associated Student of Citrus College’s president, said. “My first thought was that this is rare and that it is going to impact all students.”
He wasn’t made aware of the specifics of what was happening.
“I did not know specifically about the hack until you asked. I knew the system was down and I noticed that people were speculating that it was a nefarious reason.”
An email was sent out to all California community college presidents by California Community College Chancellor Sonya Christian. The email states, “even with this progress, there are important security protocols that must be completed. The Security Center needs to validate the system, confirm data integrity, and ensure that the environment is secure before restoring full access. That process is deliberate and necessary to protect our students, faculty, and staff.”
However, the chain of emails originated much earlier than the announced hack. On May 4, both Christian and her colleagues were aware of a “reported cybersecurity incident involving Instructure,” stated in Christian’s email thread.
That morning, Instructure stated to educational institutions involved that they had taken the proper steps in patching the security issues. It is in that same email that the company said it was aware that the data that is potentially affected is the leak of names, email addresses, student ID numbers (not Social Security numbers) and messages within the Canvas platform.
Citrus College’s Executive Director, Strategic Communications, Marketing and Public Affairs, Lisa McPheron, said that the college leadership will be discussing this further on the morning of May 8.
“Canvas is used by all 116 community colleges in California, plus other universities and colleges outside of our system,” McPheron said. “This cyber incident is impacting the entire community college system in California. We are gathering information that we have, and we’ll share updates with our campus as it becomes available.”
Perez posed a question that educational institutions across the nation should now consider: “Have we become too reliant on Canvas for online education?”
At 8:00 p.m., Canvas returned on mobile for the community colleges, but not for the states or UCs. Desktop is still not active at this time.
Update at 11:10, May 8: Canvas remains temporarily unavailable at Citrus College.
Further information can be found with the California Community Colleges Security Center.

