May 2026 Instructure/Canvas Security Breach Updates

May 8th, 2026

Messaging below was shared on the corresponding dates with HCPSS staff and families regarding a security breach with Instructure, the vendor for the Canvas Learning Management System.

Canvas Breach Additional Information, May 8, 2026

This message is to follow up on the Instructure/Canvas security breach. Previous messages may be found on this webpage. You also can learn more about the incident on the Instructure website.

Although Instructure reported that Canvas is back online and available for use, HCPSS continues to restrict access as the school system has not received sufficient assurance as to the safety of the platform.

Protecting student and staff data remains a top priority. As part of HCPSS’ response, the school system has or is:

• Restricting account access to Canvas, in which staff, students and parents/guardians cannot log in to the system.
• Restricting data from being sent to and imported from Canvas.
• Working directly with Instructure, which is providing HCPSS with regular updates.
• Monitoring systems for any suspicious activity and have reported the incident to our third-party technology security partner and the Maryland Security Operations.
• Discussing the incident with nearby school districts that are also impacted.
• Communicating updates to families as additional confirmed information becomes available.

Early this morning, Instructure released an update indicating that yesterday an unauthorized actor made changes to the pages that appeared when some users were logged in. Instructure quickly identified this unauthorized activity and immediately took steps to contain it, including temporarily taking Canvas offline to prevent further unauthorized access. The company continues to work in coordination with their independent forensics partner, and have indicated that they have found no evidence that the unauthorized actor established persistence, obtained credentials for accounts within our institution, or downloaded any additional data.

HCPSS Department of Information Technology staff and school system leadership continue to receive updates from Instructure and monitor the system, and will communicate on Sunday about Canvas access for school on Monday.

HCPSS recognizes the substantial disruption and stress this incident has caused, and appreciates your understanding and patience.

Supporting Students With AP Exams During Canvas Breach, May 8, 2026

Out of an abundance of caution following the Instructure/Canvas security breach, HCPSS continues to restrict access to Canvas to best ensure data is protected. While Canvas remains unavailable, HCPSS is committed to ensuring students can access study materials and resources they need.

In addition to materials provided by teachers, students who are studying for upcoming Advanced Placement (AP) exams may find the following resources to be helpful:

• College Board AP Classroom – To access student AP practice assessments and resources
• College Board – Free Resources to Prepare for AP Exams
• Howard County Library System – Via hcpss.me, LearningExpress Library with AP practice exams and study materials
• From hcpss.me, select HC Library and login with HCPSS student credentials
• Students will get a digital card with barcode/PIN
• Select A+ Students under the PIN
• From HCLS website, select Digital Library > Homework & Test Prep then scroll to LearningExpress Library.
• Log in using digital card barcode/PIN
• Scroll to Academic Skills and Test Preparation > College Admission Test Preparation

HCPSS recognizes the challenges many students face preparing for AP exams and apologizes for the added stress. We appreciate your understanding as staff work to ensure all services are safe for use.

Canvas Update, May 8, 2026

Due to continuing issues related to the Instructure/Canvas security breach, HCPSS-user access to Canvas remains turned off.

HCPSS staff are working to get more information from Instructure to ensure all services are confirmed to be safe for use.

Students, parents/guardians and staff should not attempt to access Canvas via a computer browser or mobile application.

Students should follow the directions of their teachers to understand how their teachers may continue providing academic resources. They may provide resources via Google Drive, Microsoft 365 (secondary students, email accounts, OneDrive, and SharePoint), Clever applications, and other services.

Canvas Temporarily Unavailable, May 7, 2026

Due to the recent security breach at Instructure/Canvas and a warning message some users are experiencing when accessing the platform, HCPSS is temporarily removing access to Canvas while the issue is being addressed. During this time, users will be unable to access the system.

Additional information will be shared as it becomes available.

Canvas Security Breach Update, May 6, 2026

This message is to follow up on details shared yesterday about a security breach at Instructure, the vendor for Canvas. Instructure last night informed us that HCPSS was impacted by a criminal threat actor who obtained data associated with the HCPSS Canvas platform. Instructure indicated the data may include personal information, though the specific types of information have not yet been identified. They have also reported no evidence of an ongoing threat.

Instructure has stated there is no indication that passwords, dates of birth, government identifiers, or financial information were involved. Regardless, families should be assured that HCPSS does not store student, parent/guardian, or staff passwords, dates of birth, government identifiers, or financial information in Canvas.

Instructure has notified law enforcement. With the assistance of forensic experts, Instructure is continuing to gather information to help HCPSS better understand the scope and impact of the incident.

Currently, we do not believe that pausing the use of Canvas is necessary. Instructure will continue providing updates to its clients. HCPSS will share additional information as it becomes available.

Possible Canvas Security Breach, May 5, 2026

HCPSS was recently notified that Instructure, the vendor for the Canvas Learning Management System, experienced a security incident in which information such as student or staff names, email addresses, unique system identifiers for users, and internal messages through Canvas at affected institutions may have been accessed.

Per Instructure, there is no evidence that passwords, dates of birth, government identifiers, or financial information were accessed. At this time, there is no indication that HCPSS was affected by the incident.

Instructure continues to provide updates to its clients. Additional information will be shared if it is determined that HCPSS was impacted.