Canvas / Instructure Cybersecurity Incident

ACTIVE SECURITY INCIDENT

SVA IT is actively monitoring an ongoing cybersecurity incident involving Instructure, the vendor that provides the Canvas learning management system. This page consolidates what we know, what we are doing, and what you should be doing right now.

Incident Status

Under Investigation

Required Action

Heightened Vigilance

Owner

SVA IT — Information Security

Last Updated

May 8, 2026

01 — SITUATION

What is happening

Instructure has reported a cybersecurity incident affecting the Canvas platform. According to Instructure, the data may include personal information such as names, email addresses, and student ID numbers. Instructure has stated that there is no current indication that passwords, dates of birth, government identifiers, or financial information were involved, and SVA does not store this type of information in Canvas.

Investigation is ongoing in coordination with Instructure. SVA IT will contact you directly if any action is required.

Why this page exists. Threat actors routinely use information from incidents like this to launch targeted phishing attacks. The most important thing the SVA community can do right now is treat unsolicited communications with extreme caution.

02 — BEST PRACTICES

What you should be doing

The following are essential security practices during any active incident. They apply to all SVA students and faculty, regardless of which systems you use day-to-day.

Treat unsolicited messages as suspicious

✓ Verify the sender on every email, text, or call — especially any that mention Canvas, Instructure, grades, accounts, or SVA login.
✓ Hover before you click. Inspect the actual destination of any link before opening it. Phishing links often impersonate familiar domains.
✓ Do not open unexpected attachments, even if the sender appears familiar. When in doubt, confirm through a separate channel.
✓ Be skeptical of urgency. Messages pressuring you to act quickly — "your account will be locked," "verify now" — are classic phishing tactics.

Protect your myID / Okta account

✓ Always sign in through myid.sva.edu. Do not authenticate via links sent in email or text.
✓ Never approve an unexpected MFA prompt. If you receive a two-factor authentication request and you are not actively signing in, deny it immediately.
✓ Report unexpected MFA prompts to helpdesk@sva.edu right away — this can be an early indicator of attempted account takeover.
✓ Use a unique password for your SVA account that is not used on any other site or service.

Report and respond

✓ Forward suspicious emails to privacy@sva.edu, then delete them from your inbox.
✓ If you clicked a suspicious link or entered credentials on a suspicious page, contact the SVA IT Helpdesk immediately. Acting fast limits the impact.
✓ Watch your SVA account activity for unfamiliar sign-ins or session activity.

03 — AVOID

What you should not do

✕ Do not reply to unsolicited messages claiming to be from SVA, Canvas, or Instructure.
✕ Do not click links in unexpected emails or text messages, even if they appear legitimate.
✕ Do not open attachments you were not expecting, regardless of who appears to have sent them.
✕ Do not approve MFA prompts you did not initiate. Always deny and report.
✕ Do not enter your SVA credentials on any site you reached by clicking a link in a message. Always navigate directly to myid.sva.edu.
✕ Do not share account information, verification codes, or passwords with anyone — SVA IT will never ask for them.

04 — COMMON QUESTIONS

Frequently asked

Was my password compromised?

Based on information from Instructure, there is no indication that passwords were involved in this incident. SVA authenticates Canvas through myID/Okta, so SVA passwords are not stored on Instructure’s systems. Continuing to follow strong password practices is recommended.

Do I need to change my SVA password?

No action is required at this time. SVA IT will contact you directly if that changes. If you would like to rotate your password as a personal precaution, you may do so at myid.sva.edu.

Is Canvas safe to use right now?

Canvas service status is being monitored continuously. Refer to the service status section below or to Instructure’s status page for real-time platform availability. Follow the vigilance practices on this page when interacting with any communications related to Canvas.

How will SVA IT contact me if action is needed?

Any required action will be communicated through official SVA channels — your sva.edu email account and through this page. SVA IT will never ask for your password, MFA code, or other credentials by email, text, or phone.

I think I may have clicked a phishing link. What now?

Contact the SVA IT Helpdesk immediately at helpdesk@sva.edu. The faster we know, the better we can protect your account and SVA’s environment. Do not feel embarrassed — quick reporting is the most valuable thing you can do.

SERVICE STATUS

Canvas

INVESTIGATING

myID / Okta

ONLINE

Microsoft 365

ONLINE

Google Workspace

ONLINE

REPORT OR GET HELP

IT Helpdesk

helpdesk@sva.edu

Suspicious Messages

privacy@sva.edu

Single Sign-On

myid.sva.edu

If you are unsure: When in doubt, do not click. Forward the message to privacy@sva.edu and let SVA IT verify it for you. Reporting takes thirty seconds and protects the entire community.