VCU’s response to the Instructure Canvas cybersecurity incident
VCU Technology Services wants to provide the VCU community with an update regarding the recent service disruptions and cybersecurity events involving Instructure (Canvas). While Instructure has restored service, we are committed to transparency regarding what happened, what data was involved, and how you can protect yourself.
What Happened
On May 1st, 2026, Instructure, the company that provides Canvas, alerted customers that a criminal cybersecurity event had occurred on April 30th. On May 6, 2026, VCU received notification from Instructure that VCU was impacted by the cyber incident, but no details were given to VCU related to who or what types of data were impacted at that time. On the afternoon of May 7th, around 4:00pm, a second event occurred where ransom notes appeared on the login pages of several universities, including VCU. This led to a temporary shutdown of the Canvas environment for emergency maintenance by Instructure. Canvas was brought back online later that evening.
Current Status
Canvas has been fully operational since late in the evening of May 7th. VCU Technology Services has performed initial security checks on our courses and has not found signs of malware, but we are continuing to monitor the environment closely and is advising all individuals using Canvas to exercise caution.
What Data Was Exposed
Based on information provided by Instructure, the exposed data appears to include names, student IDs, email addresses and Canvas messages, and at this time, did not appear to include passwords, date of birth, government identifiers, or financial information. Core learning data (course content, submissions, etc.) was also not compromised. Instructure has not yet provided us with a specific list of affected individuals or a full accounting of the compromised data as it relates to VCU. We have sought and continue to seek additional clarifications from Instructure.
Recommended Next Steps
While Instructure has provided assurances that their infrastructure is now safe, the exposure of contact information and student IDs increases the risk of phishing and social engineering attacks.
- Be Alert for Phishing: Expect an increase in sophisticated “scam” emails. Attackers may use your name, ID, or even reference previous Canvas messages to look legitimate. Do not trust unexpected emails asking you to “re-verify” your account or “unlock” your Canvas access. Always verify that emails come from an official university address.
- Use Official Login Paths: Never log in to Canvas through a link sent in an email or a text message. Always navigate directly to the official VCU Canvas URL in your browser: https://canvas.vcu.edu
- Verify Password Resets: Instructure has stated that passwords were not compromised. However, if you receive a password reset prompt that you did not request, do not click it and report it to the IT Support Center immediately.
- Report Suspicious Activity: If you see anything unusual within your Canvas dashboard or receive suspicious messages from other users, please report it to the IT Support Center immediately.
VCU’s Ongoing Response
We are actively monitoring the situation and working directly with Instructure to obtain a full accounting of what data was accessed and which individuals were affected. We are also enhancing our monitoring of all user activities within Canvas to ensure the environment remains secure. We will continue to provide updates as new information becomes available, and any new incidents will be posted to our VCU IT Status page.
We understand the stress that service disruptions and security events cause, especially during the end to a busy semester. Thank you for your patience and for remaining vigilant.