Instructure Canvas Nationwide Security Incident
USU Update - May 12, 2026
Instructure has confirmed that the data involved in this incident was returned and that copies were deleted. According to the Utah System of Higher Education, the compromised information cannot be used to access your Canvas or USU account.
USU will continue to coordinate with Instructure and monitor the situation and our Canvas environment.
Data security incidents are often followed by increase phishing attempts. For more information on cybersecurity awareness, including examples of phishing scams targeting our campus, visit the USU Phish Bowl webpage.
This was not a breach of USU’s systems. USU is actively monitoring updates from Instructure and assessing any potential impact. Updates from Instructure are available on their Security Incident Update & FAQs and status page. We will provide additional information as it becomes available. For general inquires, please contact USU Data Privacy Office - privacy@usu.edu.
USU Update — May 11, 2026
As Instructure's investigation continues, USU has been notified that additional types of data were involved in the security incident, beyond what was reported in our earlier notice.
Previously Reported:Names, email addresses, student ID numbers, and user messages within Canvas
Additionally Confirmed: Usernames, course names, and enrollment information.
There continues to be no evidence that passwords, dates of birth, government identifiers, or financial information were involved.
This was not a breach of USU’s systems. USU is actively monitoring updates from Instructure and assessing any potential impact. Updates from Instructure are available on their Security Incident Update & FAQs and status page. We will provide additional information as it becomes available. For general inquires, please contact USU Data Privacy Office - privacy@usu.edu.
USHE Update - May 8, 2026
Please visit USHE's Instructure Data Incident Public Notice webpage for further information regarding the incident.
This was not a breach of USU’s systems. USU is actively monitoring updates from Instructure and assessing any potential impact. Updates from Instructure are available on their Security Incident Update & FAQs and status page. We will provide additional information as it becomes available. For general inquires, please contact USU Data Privacy Office - privacy@usu.edu.
USU Update - May 8, 2026
On May 7, USU shared that Canvas was fully operational based on the information available at that time. Later that afternoon, Instructure identified unauthorized activity and proactively placed Canvas into maintenance mode while they investigated and contained the issue.
Instructure restored Canvas service late on May 7 following a temporary precautionary outage related to unauthorized changes affecting some Canvas pages.
According to Instructure:
“On May 7, an unauthorized actor made changes to the pages that appeared when some students and teachers were logged in. We quickly identified this unauthorized activity and immediately took steps to contain it, including temporarily taking Canvas offline into maintenance mode as a precaution. Working with an independent forensics partner, we have found no evidence that the actor established persistence, obtained credentials, or exfiltrated data.”
This was not a breach of USU’s systems. USU is actively monitoring updates from Instructure and assessing any potential impact. Updates from Instructure are available on their Security Incident Update & FAQs and status page. We will provide additional information as it becomes available. For general inquires, please contact USU Data Privacy Office - privacy@usu.edu.
USU Statement - May 7, 2026
Utah State University is aware of a nationwide cybersecurity incident involving Canvas, the university’s learning management system. This incident is associated with Instructure, the parent company of Canvas, and impacts multiple institutions.
USU was notified by Instructure that a criminal threat actor obtained certain data associated with some Canvas user accounts. Based on information currently provided by Instructure, the data involved may include identifying information such as names, email addresses, student ID numbers, and user messages. At this time, there is no evidence that passwords, dates of birth, government identifiers, or financial information were involved.
Canvas remains fully operational with no disruption to university services. No action needs to be taken aside from continuing to remain diligent about basic cybersecurity protections.
This was not a breach of USU’s systems. USU is actively monitoring updates from Instructure and assessing any potential impact. Updates from Instructure are available on their Security Incident Update & FAQs and status page. We will provide additional information as it becomes available. For general inquires, please contact USU Data Privacy Office - privacy@usu.edu.
Utah System of Higher Education Statement - May 6, 2026
USHE is aware of a recently reported data security incident involving Instructure, the company that provides the Canvas learning management system used by many colleges and universities nationwide.
At this time, USHE is monitoring information provided by Instructure as the company continues its investigation. According to Instructure, the incident has been contained, and the company is continuing to assess the scope and nature of the information involved.
Additional information and guidance will be shared directly with impacted Utah public colleges and universities, as more details become available.
This was not a breach of USU’s systems. USU is actively monitoring updates from Instructure and assessing any potential impact. Updates from Instructure are available on their Security Incident Update & FAQs and status page. We will provide additional information as it becomes available. For general inquires, please contact USU Data Privacy Office - privacy@usu.edu.
- Stay alert for suspicious messages. Do not click links in unsolicited messages claiming to be from Canvas, Instructure. Take note of how to identify a phishing attack.
- Do not click links in unexpected emails that appear to come from Canvas or Instructure. Forward anything suspicious to phish@usu.edu.
- Reach Canvas and other websites by going to them directly.
- Secure your accounts. Enable multi-factor authentication (MFA) and use long passphrases for all of your accounts. MFA adds a second check beyond your password.
- Never share your password or a two-factor code with anyone, even someone who claims to be from a trusted organization.
- Be cautious with links and attachments from unknown senders. Both can carry malware that compromises your device or steals your information.
- Keep your software and operating system up to date. Updates patch known security weaknesses that attackers rely on.
- For general inquiries, contact the USU Data Privacy Office: privacy@usu.edu.