Canvas Degradation

Incident Report for Brown University

Postmortem

What services were affected? For how long?

From approximately 4 p.m. on Thursday, May 7, to 9 a.m. on Friday, May 8, the Canvas Learning Management system was not available due to an external attack on Instructure, the company who provides Canvas as a service. Canvas is used extensively by instructors and students to manage course-related content, communication, collaboration, assignments and assessments in support of teaching and learning. This was a particularly challenging time for the Brown community to experience a Canvas outage due to critical timing at the start of the Spring final exam period.

Who was affected?

This outage impacted all users of Canvas at Brown and over 8800 other institutions who use Canvas, including faculty, staff, and students at every level – undergraduate, PhD, medical, and master’s and professional students. 

What happened?

Instructure and their Canvas platform was compromised by a third-party attacker. Instructure has published a detailed post-incident FAQ with more information about this incident. 

According to their reports, on Wednesday, April 29, 2026, the team at Instructure noticed that an outside actor had gained unauthorized access to their system. They blocked the intruder, launched an investigation, and brought in professional digital security experts to help.

By Thursday, May 7, 2026, the intruder took new steps by defacing certain pages seen by many students and instructors. To prevent any further unauthorized access, Instructure briefly took Canvas offline and put it in "maintenance mode." This allowed them to further secure the Canvas system, investigate, and add stronger protections.

The primary impact of this incident was felt by the Brown community beginning at approximately 4 p.m. on Thursday, May 7, when Brown Canvas users were not able to log in and the Brown Canvas page was defaced with an alarming message from the attackers. Other institutions using Canvas widely reported the same experience at the same time.

OIT's incident response timeline includes these major events:

Friday, May 1, 2026

  • At 6:30 p.m., Instructure reported a cybersecurity incident under investigation.

Saturday, May 2

  • At 2:46 p.m., Instructure published an update with some limited information about the attack, that they believed the incident to be contained, and that they would continue monitoring and analyzing.

Monday, May 4

  • At approximately 10:00 a.m., OIT became aware of widespread reports that Instructure had been attacked and that some Canvas data may have been taken without authorization. OIT and the Digital Learning and Design (DLD) team at the Sheridan Center assembled an incident response team to assess the situation and take any available actions as security precautions. 
  • Over the next few days, OIT and DLD closely monitored  for updates from Instructure and the media, and maintained open channels with Instructure and peer institutions. In addition, we took any further precautions recommended by Instructure.

Thursday, May 7

  • At 4:03 p.m. DLD observed that Brown's Canvas pages had been defaced by the attacker and reported it to OIT. OIT and DLD re-assembled the incident response team. We determined rapidly that this problem was affecting multiple institutions, and confirmed with Instructure that they were aware of the outage.
  • At 4:23 p.m., OIT posted an alert on its IT Status Page to inform the community that the system was experiencing degradation and that we were investigating this issue. In addition we added outage information to the automated phone greeting at the IT Service Center. OIT leadership reached out to academic and executive leadership teams to inform them of the outage, and to develop university-wide communications with academic leadership.
  • OIT and DLD continued through the afternoon and evening to analyze further, advise instructors and students with steps they could take, start assessing what data may have been exposed and the associated risks, and establish methods to recover Brown's Canvas data rapidly for academic continuity.
  • At approximately 8:00 p.m., Provost Frank Doyle sent an email to the Brown community to announce the outage and share that OIT would send more guidance soon.
  • At approximately 8:30 p.m., VPIT/CIO Christopher Keith sent an email to the Brown community with additional information and steps they could take. 
  • At 8:48 p.m., OIT posted the same information on our IT Status Page and continued monitoring for updates.

Friday, May 8

  • At approximately 3:50 a.m. on the morning of Friday, May 8, Instructure notified its customers that most Canvas sites were back in service..
  • At approximately 4 a.m., Canvas administrators at Brown found some functionality was restored, but not all.
  • At approximately 5:45 a.m., OIT and DLD found that Brown's Canvas site was responding only for users of the Canvas mobile app, and for users who had already logged in to Canvas on the web the previous day, but was not logging in correctly for most users needing to log in as a new session.  They re-assembled the response team to investigate and attempt to restore service fully. Starting at approximately 8 a.m., we began to hear from peer institutions with similar problems. Ultimately, we identified the root problem and determined it could only be resolved by Instructure.
  • At 9:02 a.m., OIT and DLD staff were able to log in to Canvas successfully, and continued to monitor and verify that the system was safe and accessible for everyone. 
  • At 9:50 a.m., Canvas was considered to be restored and OIT continued to monitor and validate the stability and security of the service.
  • At approximately 11:40 a.m., VPIT/CIO Christopher Keith sent email to the Brown community, and OIT posted an update to the IT Status Page, to share that the Canvas service had been restored and that OIT would continue monitoring the system. 
  • At approximately 12:30 p.m. Provost Frank Doyle sent a follow-up email to faculty with additional information about the impacts of the Canvas outage on the end of the semester.
  • Following the restoration of service, and throughout the following weekend, OIT and DLD maintained contact with Instructure and with peer institutions to get more information about the integrity of the system and Brown’s data stored in it. 

Monday, May 11

At approximately 6:50 p.m., Instructure released a public statement that confirmed they had reached an agreement with the unauthorized actor involved in the incident. As part of that agreement, the unauthorized actor purports to have returned all data, deleted all copies, and to refrain from further exploitation of Instructure customers. 

Tuesday, May 12

At 4:35 p.m., after monitoring for an additional day as a precaution, OIT resolved the service alert on its IT Status Page.

What is OIT doing about it?

OIT and DLD worked quickly to replace critical credentials used for our Canvas integrations, provide continuity solutions during the outage, mitigate any ongoing threat to the Brown community, and develop a technical response and support plan. During the time that Canvas was inaccessible, DLD published guides for faculty members for sharing course materials via Google Shared Drive and Google Course Groups. 

We also took specific actions during the incident to assess the risk of sensitive Brown data being exposed, including but not limited to user credentials and passwords. In our specific Canvas configuration, Canvas does not have access to Brown password data, so there was not a risk of losing all passwords for the entire community. However, we found a single concern regarding any individual members of the community who tried to log in to Canvas specifically between 4:00 and 4:30 p.m on Thursday, May 7. This is the only time that the Canvas login experience was not within Brown's control and presented a potential risk of capturing passwords entered by users. As a precaution, all our public messaging during the incident strongly encouraged anyone who tried to log in during that period to change their Brown password. 

After Canvas services were confirmed to be operating normally, OIT and DLD continued to communicate directly with Instructure, and requested more information and validation of Brown data. Instructure has provided some additional details and we remain engaged with them. We continue to monitor Canvas for any signs of compromise.

OIT will also continue work with DLD and academic leaders to further strengthen our systems resiliency planning, to ensure protection and availability of the critical academic information kept in Canvas.

In the wake of this incident, OIT encourages all community members to remain vigilant for phishing attempts or other suspicious messages that reference Canvas, Instructure, account access, or related topics. At this time, neither Brown nor Instructure has any indication that Brown account credentials were compromised as a result of this incident. However, incidents of this scale are often used by malicious actors to create convincing follow-up scams. Please use caution with unexpected messages, do not click suspicious links, and report suspicious emails using the Phish Alert button in Gmail.

Posted Jun 08, 2026 - 10:40 EDT

Resolved

All Canvas services have been restored and validated. Instructure, the company who provides Canvas, has shared a detailed FAQ about this service outage that affected all their customers. OIT will soon follow up in this service alert with a detailed Brown-specific after-action report.
Posted May 12, 2026 - 16:35 EDT

Monitoring

Access to Canvas is Restored

As of approximately 9:00 a.m. this morning (Friday, May 8), access to the Canvas learning management platform has been restored for all Brown community members. All Canvas services have been restored with the one exception of the HTML Editor feature, which currently is disabled by Instructure.

Today’s restoration of the Canvas platform at Brown follows a significant cybersecurity incident affecting Instructure, the company that operates Canvas. As we shared on Thursday, Canvas was unavailable at Brown and more than 8,000 schools across the country.

While our expectation is that Canvas will remain operational moving forward, this remains an external vendor incident involving Instructure — not a direct compromise of Brown systems — so we continue to take all possible steps to ensure our environment remains secure. The Office of Information Technology will continue to monitor the Canvas service and will keep the community informed through this status page alert if there is any need for additional updates.

In addition, Brown’s academic leaders will follow up today with all course instructors to provide additional guidance about ensuring continued access to information maintained in Canvas.

Please note:

- You should change your Brown password as soon as possible via https://myaccount.brown.edu/profile/brownpassword as a precaution if you attempted to log in to Canvas between 4:00 and 4:30 p.m. on Thursday, May 7, when the system’s login function may have been temporarily controlled by the threat actor behind the Instructure cyber incident.

- If you attempted to log in to Canvas after 4:30 p.m. on Thursday but before the system’s restoration this morning, you do not need to take action. We have confirmed that usernames and passwords were safely contained within Brown's systems during that period.

We recognize that this outage has impacted all students and instructors using Canvas at a critical time of the semester, and we are grateful for your patience and understanding.
Posted May 08, 2026 - 11:44 EDT

Identified

Update on the Canvas Security Threat and Temporary Outage:

Earlier today, Brown and more than 8,000 schools across the country were impacted by the escalation of a significant cybersecurity incident affecting Instructure, the company that operates the Canvas learning management platform. For approximately 20 minutes this afternoon, Brown community members visiting the login page for Canvas were redirected to a webpage that may have been temporarily controlled by the threat actor behind the Instructure cyber incident. Staff in the Office of Information Technology (OIT) and Digital Learning & Design took immediate steps to mitigate any ongoing threat to the Brown community and begin the work of developing a full response plan.

At this stage, access to Canvas remains disabled for all Brown community members, and we do not yet have a timeline for restoration. The Canvas outage impacts students at every level – undergraduate, PhD, medical, and master’s and professional students. We recognize that the impacts for coursework at Brown, particularly as we reach the end of the semester, are significant. Academic and administrative leaders are actively working this evening to address the cyber incident, determine solutions and plan for potential interim measures should access to Canvas remain disabled in the coming days. Our understanding is that no systems beyond Canvas have been impacted.

At this time we recommend users of Canvas consider these actions:

- If you entered your Brown username and password to log in to Canvas between approximately 4 and 4:30 p.m. today, as a precaution you should reset your Brown password as soon as possible using OIT's self-service Change Brown Password page (https://myaccount.brown.edu/profile/brownpassword).

- If you are an instructor and need to contact your students or share course materials with them outside of Canvas, you have options to reach students in your course through Class Lists, Google Course Groups, and sharing materials through Google Drive (https://help.canvas.brown.edu/a/2073094-canvas-incident-information).

- OIT will update this incident's IT Status Alert as soon as there is new information to share. You can subscribe to alerts to follow any updates.

This afternoon’s incident marks an escalation in an Instructure data breach that began in recent days. In addition to the implications of Canvas being currently disabled, OIT is reviewing the potential impact to Brown community members in regard to data accessed in the Instructure breach. According to the company, the information involved may include names, email addresses, student ID numbers and messages exchanged in Canvas. Brown does not store passwords, dates of birth, government identifiers or financial information in Canvas, and there is therefore no risk to this information being exposed for any Brown community as part of this breach. This was an external vendor incident involving Instructure — not a direct compromise of Brown systems — and we are taking all possible steps to ensure our environment remains secure.

Because incidents like this can lead to follow-up phishing attempts, please be cautious with unexpected or suspicious messages, particularly those referencing Canvas. In addition:

- Never share your passwords, Duo codes, social security number, banking information or other sensitive information by email, text or phone.

- If you receive a suspicious email message, report it via the Phish Alert button in Gmail (https://go.brown.edu/phishalert). Do not click on links or interact otherwise with unexpected messages.

- If you receive any other suspicious correspondence or have questions, please contact the OIT Service Center at 401-863-4357 or help@brown.edu.

We recognize that students, faculty and staff will have many questions. Please know we are working quickly to develop solutions. We will share updates as soon as we are able. We understand this incident is causing disruption, and we are grateful for your patience.
Posted May 07, 2026 - 20:45 EDT

Investigating

The Canvas service is experiencing degradation. OIT is investigating this issue.
Posted May 07, 2026 - 16:23 EDT
This incident affected: Teaching and Learning (Canvas Course Platform).