As we continue to learn more about the cybersecurity incident with Instructure/Canvas,
please be aware of phishing or social-engineering attempts. Social engineering is when attackers manipulate people into sharing information or
taking actions that compromise security. Phishing is a common form of social engineering
where someone pretends to be a trusted person/organization to trick you into sharing
sensitive information or clicking a harmful link.
As good general practice, please be alert to unexpected emails, text messages, or
phone calls that ask for personal information or direct you to log in through unfamiliar
links. If you receive a:
Message that looks suspicious, do not click links in it or open it; contact the IT Service Desk.
Direct email asking for personal information or money, do not respond; contact the
IT Service Desk.
We will share additional information as confirmed details become available.
What happened
On May 4, Instructure — the company that operates Canvas — notified Edmonds College
that an unauthorized third party obtained data associated with our Canvas environment.
This incident was not specifically directed at Edmonds College. Instructure serves
many institutions, and this appears to be a vendor-driven incident affecting multiple
education customers. Instructure has stated that the broader incident affected many
institutions in the United States. Instructure has reported that the attack occurred
on April 25, 2026; that the company detected the attacker on April 29; and that access
was revoked and the underlying vulnerability was addressed on April 30. Federal law
enforcement, including the FBI and the U.S. Cybersecurity and Infrastructure Security
Agency (CISA), has been notified by Instructure.
What was involved at our college
Instructure has stated publicly that, across the broader incident, names, email addresses,
student ID numbers, and user-to-user Canvas messages were potentially involved. We
have asked Instructure to confirm specifically what was involved, including whether
Canvas messages were affected and how many users were impacted, and we will share
additional information as we receive it.
What was reportedly not involved
Instructure has stated that there is no indication that passwords, dates of birth,
Social Security numbers, or financial account information were involved. If Instructure’s
findings change, we will update affected community members.
What we are doing
We are working with the State Board for Community and Technical Colleges (SBCTC),
to press Instructure for additional information about what was specifically involved
at our college. We will provide further updates on this page as additional confirmed
information becomes available.
Instructure has indicated that organization-specific resources, including identity-protection
services for affected individuals, may follow. We will share details as they become
available.
Frequently Asked Questions
Instructure has confirmed that an unauthorized third party obtained data from our
college’s Canvas environment but at this time we do not know whose information was
obtained. Instructure has not yet provided the exact data elements or affected user
count for our college. As soon as we have specific information for our college, we
will share it with the affected community.
Based on current information, there is no indication that passwords were involved.
Canvas single sign-on does not provide Canvas with your password — you sign in to
Canvas using your Edmonds College account through our secure single sign-on. There
is no need to reset your password as a result of this incident. (As always, normal
good practice applies: Change your password if you have any other reason to believe
your account may have been compromised.)
Canvas is operating normally. Instructure has reported addressing the underlying vulnerability
and deploying additional protections across its platform. EDUCAUSE has issued sector
guidance saying no specific institutional remediation appears required at this time.
You can continue using Canvas for your coursework.
Instructure has stated publicly that user-to-user Canvas messages were potentially
involved across the broader incident. Instructure has not yet confirmed whether messages
from our college’s Canvas environment were specifically involved. We are asking Instructure
for that information and will share it when received. Course content (assignments,
files, grades) has not been described by Instructure as involved.
At this time, Instructure has reported no indication that passwords, dates of birth,
government identifiers, or financial account information were involved. Because those
data types have not been identified, credit monitoring may not be applicable based
on the information currently available. We are waiting for Instructure to provide
tenant-specific details about exact data elements and affected users. If Instructure
determines that identity-protection resources are appropriate, we will share that
information on this webpage and will send a Triton Alert.
Instructure publicly disclosed the incident on May 1, 2026. We received tenant-specific
confirmation that our Canvas environment was affected on May 4. We are sharing the
information as we are able and confirmed by the SBCTC rather than communicating based
on news reports or speculation.
There is no specific action required of you inside Canvas. As good general practice:
Be alert to unexpected emails, texts, or calls that request personal information or
that direct you to log in through unfamiliar links. Don’t click suspicious links;
instead, contact the IT Service Desk if anything looks off. If you sign in to other websites using the same email address,
make sure you have strong, unique passwords on those accounts and consider enabling
multi-factor authentication.
