Canvas (Instructure) Security Incident

The FBI’s cyber division encourages users to remain alert for suspicious activity. If you receive messages claiming someone has your data, do not respond or send money, as these claims are often exaggerated or fake. Be cautious of unexpected emails, calls, or texts that appear to come from the Seminary, Canvas, or law enforcement, and verify contact through known channels before responding.

May 1, 2026:

UPDATE: May 8, 2026

On May 7, an unauthorized actor made changes to the pages that appeared when some students and teachers were logged in. We quickly identified this unauthorized activity and immediately took steps to contain it, including temporarily taking Canvas offline into maintenance mode as a precaution to prevent further unauthorized access. Working in coordination with our independent forensics partner, we have found no evidence that the unauthorized actor established persistence, obtained credentials for accounts within your institution, or exfiltrated any additional data.

Additionally, we have confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. The entry point for the incident last week was also through the Free-For-Teacher accounts. As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts.

UPDATE May 10, 2026

Here's what we know.

This incident involved unauthorized access to part of our environment. The data fields involved include information like usernames, email addresses, course names, enrollment information and messages. Core learning data (course content, submissions, credentials) was not compromised. We're still validating all findings, but we want to be clear about what we understand was and wasn't affected.

We also identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited. We temporarily disabled Free for Teacher while we complete a full security review. We know that's disruptive, and we didn't make that call lightly. But keeping the entire Canvas platform secure has to come first.

...

1. Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised. 
   

UPDATE MAY 11, 2026

We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.

With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:

1. The data was returned to us.
2. We received digital confirmation of data destruction (shred logs).
3. We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
4. This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.

While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible. We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses.

We are currently organizing a webinar with Instructure leadership to detail information about the cyber attack and our activities to harden the system. We currently believe it will be on May 13 and will be done in multiple time zones.

Please continue to reference https://www.instructure.com/incident_update for the latest information from us.

Watch out for Phishing Messages

Cybercriminals sometimes use news of security incidents to send fake emails, text messages, or login pages designed to steal information.

Be cautious of messages that:

• Claim your account has been suspended or compromised
• Ask you to “verify” your password or personal information
• Create urgency or pressure you to act immediately
• Contain unexpected links or attachments
• Pretend to come from Canvas, IT Support, Microsoft, Google, or Seminary staff

Always verify website addresses carefully before signing in.

Use Strong Passwords

      Use a unique password for your Seminary accounts and avoid reusing passwords across multiple websites.

Enable Multi-Factor Authentication (MFA)

      Whenever possible, enable MFA on your accounts. MFA adds an additional layer of protection even if a password becomes compromised.

Be Careful with Links

      Instead of clicking links in emails or text messages, navigate directly to trusted websites such as:

• Canvas:                              https://canvas.asburyseminary.edu or https://asburyseminary.instructure.com
• Microsoft 365:                  https://myATS.asburyseminary.edu or https://myapps.microsoft.com/
• Asbury Seminary portals: https://connect.asburyseminary.edu

Monitor Your Accounts

      Watch for unexpected password reset emails, unfamiliar login notifications, or changes to your account settings.

Keep Devices Updated

      Install operating system, browser, and app updates regularly to help protect against known vulnerabilities.

Reporting Suspicious Messages

If you receive suspicious emails or messages claiming to relate to Canvas, your Seminary account, or this incident:

• Do not click links or open attachments
• Report the message to the Asbury Seminary Help Desk
• Mark the message as SPAM after reporting it. 
  

Additional Information

For official updates regarding the Canvas incident, visit:

• Instructure Status Page

Asbury Seminary continues to monitor information provided by Instructure and will share additional guidance if needed.