From approximately 4 p.m. on Thursday, May 7, to 9 a.m. on Friday, May 8, the Canvas Learning Management system was not available due to an external attack on Instructure, the company who provides Canvas as a service. Canvas is used extensively by instructors and students to manage course-related content, communication, collaboration, assignments and assessments in support of teaching and learning. This was a particularly challenging time for the Brown community to experience a Canvas outage due to critical timing at the start of the Spring final exam period.
This outage impacted all users of Canvas at Brown and over 8800 other institutions who use Canvas, including faculty, staff, and students at every level – undergraduate, PhD, medical, and master’s and professional students.
Instructure and their Canvas platform was compromised by a third-party attacker. Instructure has published a detailed post-incident FAQ with more information about this incident.
According to their reports, on Wednesday, April 29, 2026, the team at Instructure noticed that an outside actor had gained unauthorized access to their system. They blocked the intruder, launched an investigation, and brought in professional digital security experts to help.
By Thursday, May 7, 2026, the intruder took new steps by defacing certain pages seen by many students and instructors. To prevent any further unauthorized access, Instructure briefly took Canvas offline and put it in "maintenance mode." This allowed them to further secure the Canvas system, investigate, and add stronger protections.
The primary impact of this incident was felt by the Brown community beginning at approximately 4 p.m. on Thursday, May 7, when Brown Canvas users were not able to log in and the Brown Canvas page was defaced with an alarming message from the attackers. Other institutions using Canvas widely reported the same experience at the same time.
OIT's incident response timeline includes these major events:
At approximately 6:50 p.m., Instructure released a public statement that confirmed they had reached an agreement with the unauthorized actor involved in the incident. As part of that agreement, the unauthorized actor purports to have returned all data, deleted all copies, and to refrain from further exploitation of Instructure customers.
At 4:35 p.m., after monitoring for an additional day as a precaution, OIT resolved the service alert on its IT Status Page.
OIT and DLD worked quickly to replace critical credentials used for our Canvas integrations, provide continuity solutions during the outage, mitigate any ongoing threat to the Brown community, and develop a technical response and support plan. During the time that Canvas was inaccessible, DLD published guides for faculty members for sharing course materials via Google Shared Drive and Google Course Groups.
We also took specific actions during the incident to assess the risk of sensitive Brown data being exposed, including but not limited to user credentials and passwords. In our specific Canvas configuration, Canvas does not have access to Brown password data, so there was not a risk of losing all passwords for the entire community. However, we found a single concern regarding any individual members of the community who tried to log in to Canvas specifically between 4:00 and 4:30 p.m on Thursday, May 7. This is the only time that the Canvas login experience was not within Brown's control and presented a potential risk of capturing passwords entered by users. As a precaution, all our public messaging during the incident strongly encouraged anyone who tried to log in during that period to change their Brown password.
After Canvas services were confirmed to be operating normally, OIT and DLD continued to communicate directly with Instructure, and requested more information and validation of Brown data. Instructure has provided some additional details and we remain engaged with them. We continue to monitor Canvas for any signs of compromise.
OIT will also continue work with DLD and academic leaders to further strengthen our systems resiliency planning, to ensure protection and availability of the critical academic information kept in Canvas.
In the wake of this incident, OIT encourages all community members to remain vigilant for phishing attempts or other suspicious messages that reference Canvas, Instructure, account access, or related topics. At this time, neither Brown nor Instructure has any indication that Brown account credentials were compromised as a result of this incident. However, incidents of this scale are often used by malicious actors to create convincing follow-up scams. Please use caution with unexpected messages, do not click suspicious links, and report suspicious emails using the Phish Alert button in Gmail.