The Brief

The online education platform Canvas went offline after a data breach on Thursday, temporarily leaving students and faculty at thousands of U.S. colleges — and K-12 schools — without access to course materials and communications during finals period.

"I'm sure somewhere in the country when the outage happened, there probably were people actually taking final exams on the platform when it crashed," says Damon Linker, a senior lecturer in political science at the University of Pennsylvania.

Thirty million users — including at half of the higher education institutions in North America — rely on Canvas to manage courses, submit assignments, view grades and facilitate communication, according to its parent company, Instructure.

But when Linker and many other users tried to do so on Thursday afternoon, they met a black screen and a warning message.

"ShinyHunters has breached Instructure [again]," it read. "Instead of contacting us to resolve it they ignored us and did some 'security patches.'"

ShinyHunters is the same entity that took credit for a massive Ticketmaster data breach in 2024. Like many such groups, it's a cluster of young people working remotely together, "kind of like a ransomware gang," says Rachel Tobac, the CEO of SocialProof Security, which trains people and companies to defend themselves against hackers.

ShinyHunters wrote on a threat intelligence website earlier this week that the initial breach on Saturday involved data — including private messages — from 275 million students, teachers and staff at nearly 9,000 schools worldwide. The group said Thursday that affected schools can prevent the release of their data by consulting with cyber advisory firms and negotiating settlements through the encrypted chat platform Tox.

"You have till the end of the day by 12 May 2026 before everything is leaked," the hackers wrote.

Instructure has confirmed a series of cybersecurity breaches this week and provided status updates on its website. It said the breach only appeared to involve identifying information like names, email addresses, student ID numbers and user messages — no passwords, birth dates, government identifiers or financial information.

Instructure confirmed on an FAQ page that it started an investigation after it first detected unauthorized activity in Canvas on April 29, and took Canvas offline on Thursday after that same unauthorized actor "made changes that appeared when some students and teachers were logged in." They said the actor exploited an issue with its Free-for-Teacher accounts, which it has temporarily shut down.

"This gives us the confidence to restore access to Canvas, which is now fully back online and available for use," it said in a statement to NPR. "We regret the inconvenience and concern this may have caused."

It's not clear whether Instructure paid a ransom or what the return of Canvas access could mean for the hackers' May 12 deadline.

Tobac says Canvas could be back online because of a successful negotiation, or because the hackers "didn't get super far in their attack." Either way, she says users should stay vigilant, especially for phishing messages — whether it's someone posing as Canvas prompting a password change, or pretending to be a professor sending course materials.

"I would operate under the assumption that there's going to be some knock-on effects here," she says.

Not everyone got back online immediately 

Just before midnight on Thursday, Instructure posted online that "Canvas is now available for most users," though two separate services, Canvas Beta and Canvas Test, remained in maintenance mode.

Students and faculty at at least some schools were still unable to access Canvas on Friday — either because service had not yet been restored or because administrators warned them to stay away.

Penn State University, for example, said Friday morning that while the school's Canvas access had been partially restored, it was "not yet ready for use."

"Technical teams at Penn State are actively working to prepare the system for our community," it added. "As access is restored, Canvas integrations and related services will be brought back online in phases."

Several schools have taken similar approaches, either temporarily disabling Canvas access or outright asking users to steer clear. The University of California said across its schools, "Canvas access will not be restored until we are confident the system is secure."

And it's not just higher education: The Montgomery County Public School system in Maryland alerted families on Friday morning that even as service returned, it is "continuing to test and review systems before restoring access."

Tobac says this could mean that schools think the attackers might still be within their systems, potentially stealing information like passwords and messages.

"The attackers probably got some sensitive information and … [schools] don't want this information out online," she says.

Many schools are urging users to be on high alert for any unsolicited emails or messages that appear to come from Canvas, especially those requesting login credentials, as Georgetown University warned. The University of Amsterdam — which says it's one of 44 Dutch educational institutions affected — also recommends people change their passwords on any other sites where they use the same one.

Tobac also recommends using a password manager — to generate long, random passwords for each login — and turning on multi-factor authentication for all online accounts, not just Canvas. She says any student or professor who gets a suspicious call, text or email should "use another method of communication to verify what is authentic."

"Even if there was no breach yesterday, I would say these are the things that I recommend you do," she adds, urging people to "be politely paranoid."

The breach disrupts finals, highlights vulnerabilities

Several schools affected by the breach have already postponed or outright scrapped some final exams, with others warning students and professors that they might need to do so.

The University of Illinois is postponing all final exams and assignments scheduled through Sunday. Penn State canceled certain exams scheduled for Thursday night and Friday, saying it was working with faculty to "determine next steps for final grading" and urging students to check their emails (not Canvas) regularly in the meantime. And Baylor University delayed Friday exams and asked all faculty to send students "whatever study materials they have on their local computers to students as soon as possible."

The breach has underscored how much of academia relies on a single, centralized platform.

Linker, of UPenn, told NPR that he received an influx of panicked messages from students on Thursday afternoon when they suddenly couldn't access PowerPoints, readings and previous exams as they tried to study for Monday's final.

"The problem with using a platform like Canvas is that most [students] are not going to have the readings available printed out or on their laptops," he explains. "It all lives on the online platform, and if that platform goes down, they have no way to access them."

He told students on Thursday that he would upload the course materials to another platform (like Dropbox or Google Docs) if Canvas access wasn't restored by Friday morning. Fortunately, he says, it came back online shortly before 9 a.m. ET.

But Linker says he has concerns about relying fully on Canvas in the future.

"Given what this has exposed, the vulnerability involved and also the concern with the data breaches, I'm starting to rethink whether this is really a wise way to proceed," he says.

One example of that is grading. Linker says Canvas makes it so easy to calculate and weigh students' scores — on individual assessments and overall — that it's come to function as a digital grade book. Going forward, he says he may start keeping an analog record of students' grades just in case.

While Canvas does have competitors like Blackboard, Linker says he doesn't think any would be less vulnerable to a future breach. And Tobac agrees.

"The problem is not that this one website had this cyber event, right? Because nothing in this world is unhackable," she says. "The thing that we have to think about is disaster recovery: How do we continue doing business when there is a cyber event, and how do we do our very best to keep the bad actors out?"

Tobac says this week has shown that many institutions did not have a clear plan for how students and professors can be in touch and access course materials without Canvas. She said those plans should vary based on schools' different circumstances and schedules — which might explain why some are proceeding with finals as usual while others are scrapping exams altogether. But she'd like them to approach the immediate aftermath with one common goal.

"We have to treat people with dignity and respect," Tobac says. "And I hope that that is something that the institutions do, within their timelines and constraints."
Copyright 2026 NPR

Southern California was built on radio.

"I can still hear the jingle KFWB News 98,” wrote  Taline in Los Feliz, during a recent conversation on LAist's daily news show, AirTalk, which airs on 89.3 FM. “I grew up hearing that in my dad's minivan on the way to and from school. It has a special place in my heart.”

Back in April, broadcast company Audacy announced KNX News — one of the last-remaining all-news FM stations — was leaving the FM dial where it had simulcast on 97.1 FM since 2021. The station, which is also one of the oldest in L.A., is not budging from 1070 AM where it has been on the air for more than 100 years. The move away from FM officially happened in May to make way for a new sports talk station, which Audacy officials called an area of growth for advertisers in today’s media landscape.

The move is one in a long line of changes for radio and a reminder that before podcasts, playlists and algorithms, many Southern Californians built their days around radio broadcasts.

Radio, a daily ritual

The construction of KNX

(

Herman J. Schultheis

/

Los Angeles Public Library

)

Michael Jackson, a well-known KNX, personality

(

Los Angeles Public Library

)

Larry Mantle, now in his 41st year hosting AirTalk, remembers being a kid and dreaming of what it might be like to be behind the mic at one of these radio stations.

“ I grew up with KNX," he said. “My dream job as a kid was to be an anchor on KNX or KFWB, the two local all-news radio stations, 'cause there was nothing like hosting AirTalk that even existed at that point.”

Mantle opened up the phone lines on a recent show to hear from his fellow SoCal radio lovers about the shows they miss and the memories they have. Here's what they had to say:

A love for radio, then and now  

A pilot of KMPC's traffic alert helicopter pictured with his daughter and grandson.

(

Los Angeles Public Library

)

A 1963 picture of Valley State College (now Los Angeles Valley College) preparing to launch KVCM

(

Larry Leach

/

Los Angeles Public Library

)

“When you'd walk down Hollywood Boulevard where the station was, you could hear it playing as you went down the street,” said  Olivia in Glendale about KLAC 570 with Al Jarvis.

 Larry in Yorba Linda shouted out KBCA Jazz for its 24-hour jazz, saying “When I first moved out here in '68 from Phoenix, which had like an hour a week, it was a real wonder.”

 Mark in Glassell Park emailed that he loves KCRW’s Henry Rollins, writing, “I used to bristle at his unique DJ persona, but over time, I came to love him and his crazy eclectic playlists. I find his knowledge in history and punk rock fascinating. He's a gem and a legend."

"I'd like to give a shout-out to all the DJs working at KXLU, the college station at Loyola Marymount University, said  Jeremy in Culver City in an email. “That station's been on the air for nearly 60 years. I believe it's one of the best examples of what's possible with radio."

"KFWB and KRLA back in the day when they were rock music stations —  Dr. Demento, one of my favorite on-air personalities, also had eclectic music taste," said  Carrie in Desert Edge.

“ Dr. Demento was must listening when I was a kid in junior high school at Le Conte Junior High in Hollywood,” Mantle added. “Every Sunday night on KMET, we would make sure we were listening to Dr. Demento and his funny records.”

The question remains…

An 11-year-old winning a car in a KMPC contest in 1963.

(

Los Angeles Public Library

)

Listener support is vital to any radio station, and it’s clear KNX has many lifelong fans. AirTalk listeners highlighted their support for household KNX names over the decades like Bill Keene, Melinda Lee, Mike Roy and Jackie Olden.

As KNX makes changes, many are watching closely and thinking about the future of radio.

Listeners like Tommy in La Quinta are left wondering if the radio dial will be the same…

“I’m a hardcore listener, but I don't know about casual listeners [and] if they'll tune to AM,” he said.

After months of hand-wringing, Los Angeles and LA28 have come to a tentative agreement on how Olympics organizers will reimburse the city for its expenses for the 2028 Summer Games.

According to the deal, the private Olympic organizing committee will pay upfront for the estimated cost of services that are not eligible for federal reimbursement, like trash pick-up and traffic control. Under another proposal, the city would also be able to tap an LA28 contingency fund if it isn't fully repaid by the federal government for policing costs at Olympic venues.

The agreement is nearly nine months overdue and still needs approval by Mayor Karen Bass and the City Council.

The 2028 Olympics are intended to be privately financed, and an existing city agreement with LA28 states that the Olympics organizers, not L.A., will pay for extra costs for public services in support of the Games. But L.A. is the financial back-stop for the Olympics, meaning if LA28 goes in the red, taxpayers will pick up the bill.

Beyond that, the city services agreement presents another area where L.A. could incur additional unexpected expenses for hosting the Games. L.A. City Councilmember Monica Rodriguez warned LA28 CEO Reynold Hoover earlier this year that a bad deal could "bankrupt" the city.

Jacie Prieto Lopez, an LA28 spokesperson, and Paul Krekorian, who leads the city's office of major events, said in statements that the freshly inked agreement would help deliver a fiscally responsible Games.

"Mayor Bass’ priority is that the 2028 Olympic and Paralympic Games be fiscally responsible, protect taxpayers, and benefit Angelenos for decades to come. This agreement helps deliver that commitment," Krekorian said.

But the contract between the two parties doesn't fully resolve one of the biggest areas of financial risk for the city: the enormous cost of security for an event as extensive and high-profile as the summer Olympics and Paralympics.

Organizers are counting on the federal government to pay for public safety at Olympic venues that are considered part of a "national special security event." That includes costs for LAPD staffing. LA28 has not included security costs in its $7.1 billion budget — a fact that City Attorney Hydee Feldstein Soto criticized earlier this year.

The federal government has so far allocated $1 billion for security costs for the Olympics. Exactly where those federal funds will go has not yet been determined, and there's no guarantee they will cover all of L.A.'s policing costs.

To address this, city officials have also proposed an amendment to a 2021 agreement between the city and LA28. That amendment would establish that if L.A. is not reimbursed by the federal government for all its eligible expenses, it could dip into LA28's contingency fund of $270 million before the private organizing committee could use those funds for any legacy projects.

But that bucket of money will first be used for any costs that Olympics organizers still owe if they run out of revenue — meaning if the Olympics don't turn a profit, the city's access to that money will depend on how much is left for the taking.

Civil rights attorney Connie Rice, who has been tracking the city's negotiations with LA28, told LAist the agreement was a "PR document" not a deal. She pointed out that if the federal government does not pay up for security spending as expected, L.A. could be in trouble.

" It leaves the taxpayers with a GoFundMe strategy," she said.

The city services agreement lays the groundwork for more negotiations between LA28 and the city. Each venue will require its own agreement, to be negotiated by July 1, 2027. Venues in the city of L.A. include Dodger Stadium, the L.A. Convention Center, L.A. Memorial Coliseum and the Venice Beach Boardwalk.

The City Council's ad-hoc committee on the 2028 Games will meet Tuesday afternoon to vote on the agreement.