Important Update: Canvas Security Incident
Wednesday, May 6, 2026, 12:20pmTO: Campus Community
FR: Thomas Dixon, Chief Information Security Officer, San Francisco Bay Region Network
This is to inform you of a recent cybersecurity incident involving Instructure at all CSU campuses, the vendor that provides Canvas, the learning management system for the CSUEB, SFSU, and SSU campuses.
We have been informed that the threat actor accessed data from many educational institutions worldwide stored at Instructure’s site, which likely included information from the CSU. Instructure is still confirming what data may have been exposed, but based on their preliminary assessment, it may include personal information such as names, campus email addresses, student ID numbers, and user messages. At this time, neither Instructure nor we are able to confirm whether any individual’s data was included. Canvas does not store passwords, Social Security numbers, financial information, or dates of birth.
Canvas remains fully operational, and there is no evidence of an ongoing threat. Instructure has contained the incident, remediated the vulnerability, and continues to investigate in coordination with external forensic experts and law enforcement.
Out of an abundance of caution, we encourage all community members to remain vigilant for phishing or suspicious communications and to report any such activity to [email protected].
Password resets are not required at this time; we will notify you if that guidance changes.
We are continuing to work with Instructure to determine the full scope of impact and will provide updates, including resources for affected individuals, as more information becomes available at https://lts.calstate.edu/csu-canvas-incident-reports. If you have any questions or concerns, please contact the Network Support Center (https://www.sfbrn.calstate.edu/support) or your local Academic Technology Support.