UC Halts Canvas Access Systemwide After Instructure Confirms Breach Containment

*TL;DR: The University of California has blocked access to the Canvas learning platform across all campuses until it can verify that the system is secure after Instructure reported a data breach.

Context Instructure, the vendor behind Canvas, alerted the University of California on May 6 that its systems suffered a data breach. The breach, part of a broader incident affecting thousands of institutions, prompted the UC Office of the President to issue an emergency directive on May 7 to block or redirect Canvas traffic.

Key Facts - Systemwide block: UC IT teams have implemented a network‑level block that prevents any user from reaching Canvas until a risk‑based decision is made to restore service. - Containment claim: Instructure announced on May 8 that it had contained and remediated the breach, but UC will restore access only after confirming the platform’s integrity. - Operational impact: Students, faculty, and staff at all UC campuses currently cannot log in to Canvas, disrupting coursework, assessments, and communication. - Threat vector: The breach involved a malicious message displayed on the Canvas login page, indicating a likely credential‑phishing campaign. No specific vulnerability (CVE) has been disclosed, but the attack leveraged the public‑facing authentication portal. - Response coordination: UC cybersecurity partners are receiving continuous updates from Instructure’s incident response team and are monitoring for phishing attempts that mimic university communications.

What It Means The block reflects a risk‑averse stance: without full visibility into the attacker’s foothold, restoring access could expose personal data such as student IDs, grades, and faculty research. UC’s decision to evaluate restoration campus by campus allows each location to align the timeline with academic schedules while maintaining a unified security posture.

Mitigations – What Defenders Should Do 1. Enforce MFA – Require multi‑factor authentication for any remaining UC services that interact with Canvas APIs. 2. Update detection rules – Deploy signatures for the phishing page observed on the Canvas login URL; map to MITRE ATT&CK technique T1566.002 (Phishing: Spearphishing Link). 3. Patch web gateways – Ensure all reverse‑proxy and web‑application firewall (WAF) rules are current to block unauthorized redirects. 4. Monitor credential use – Flag anomalous login attempts to UC single sign‑on (SSO) that originate from unfamiliar IP ranges. 5. Educate users – Circulate clear guidance that UC will never request passwords, Social Security numbers, or banking details via email or text.

Looking Ahead Watch for Instructure’s next status update and UC’s campus‑specific rollout plan, which will indicate when Canvas can safely resume supporting the university’s academic operations.