May 2026 Instructure/Canvas Security Breach Updates

May 8th, 2026

Messaging below was shared on the corresponding dates with HCPSS staff and families regarding a security breach with Instructure, the vendor for the Canvas Learning Management System.

Canvas Breach Update, May 12, 2026

Last night (May 11), Instructure notified the HCPSS Information Technology (IT) team that it had “reached an agreement with the unauthorized actor involved in this incident.” Per Instructure, as part of that agreement, the data involved was returned, assurances were provided that the information would not be shared on the web, and proof was received that any copies of the data posted had been deleted.

With the support of a third-party security vendor, HCPSS IT staff continue to monitor for suspicious activity. Please continue to remain vigilant and exercise caution regarding any suspicious online activity, emails, or messages.

Thank you for your continued patience and understanding as we work with Instructure, outside cybersecurity experts, and partners across the state to help protect the information contained within our learning management system.

Access to Canvas to Resume May 10, 2026

The HCPSS Information Technology team has been monitoring for suspicious activity with the support of our third-party security vendor. To date, additional malicious activity has not been detected and HCPSS is preparing to enable users’ access to Canvas, which will be available beginning at 5 p.m., Sunday, May 10. Account activation for all Canvas users will take some time, and some accounts will become available before others.

While actions of HCPSS staff or students did not cause this incident, it is a serious reminder of the need to be cyberaware. With that in mind, please review and share with your children the following common security practices:

1. Remain cautious and aware, and know how to respond to cybersecurity issues.
1. Stop and disconnect.
2. Tell an adult.
3. Forward questionable school system related emails to abuse@hcpss.org.
2. Evaluate messages for authenticity and be able to spot phishing emails.
1. Asks for sensitive information.
2. False sense of urgency.
3. Odd grammar.
4. Copies legitimate sources.
3. Be vigilant when clicking on any links in and/or downloading files attached to emails or on websites.
1. Users can confirm email notifications from Canvas by ensuring they are from notifications@instructure.com and hovering over links contained in the email to view the actual linked URL. Canvas links are https://hcpss.instructure.com/[course information].
2. If uncertain from an email, navigate to the content by accessing Canvas directly through the website or app and locate the content, announcement or assignment.
4. HCPSS does not store passwords in Canvas and users do not need to change their password.
1. Do not enter your HCPSS password on unfamiliar authentication pages and beware of imitation authentication pages.
2. At any point, if you believe your password is compromised, use the account self-service site to change your password.
1. The https://account.hcpss.org/self-service is linked on the hcpss.me landing page under Students and Staff.
2. Additionally users can click the forgot password on the blue login page.

HCPSS recognizes the substantial disruption and stress this incident has caused, and appreciates your understanding.

Canvas Breach Additional Information, May 8, 2026

Although Instructure reported that Canvas is back online and available for use, HCPSS continues to restrict access as the school system has not received sufficient assurance as to the safety of the platform.

Protecting student and staff data remains a top priority. As part of HCPSS’ response, the school system has or is:

• Restricting account access to Canvas, in which staff, students and parents/guardians cannot log in to the system.
• Restricting data from being sent to and imported from Canvas.
• Working directly with Instructure, which is providing HCPSS with regular updates.
• Monitoring systems for any suspicious activity and have reported the incident to our third-party technology security partner and the Maryland Security Operations.
• Discussing the incident with nearby school districts that are also impacted.
• Communicating updates to families as additional confirmed information becomes available.

Early this morning, Instructure released an update indicating that yesterday an unauthorized actor made changes to the pages that appeared when some users were logged in. Instructure quickly identified this unauthorized activity and immediately took steps to contain it, including temporarily taking Canvas offline to prevent further unauthorized access. The company continues to work in coordination with their independent forensics partner, and have indicated that they have found no evidence that the unauthorized actor established persistence, obtained credentials for accounts within our institution, or downloaded any additional data.

HCPSS Department of Information Technology staff and school system leadership continue to receive updates from Instructure and monitor the system, and will communicate on Sunday about Canvas access for school on Monday.

HCPSS recognizes the substantial disruption and stress this incident has caused, and appreciates your understanding and patience.

Supporting Students With AP Exams During Canvas Breach, May 8, 2026

Out of an abundance of caution following the Instructure/Canvas security breach, HCPSS continues to restrict access to Canvas to best ensure data is protected. While Canvas remains unavailable, HCPSS is committed to ensuring students can access study materials and resources they need.

In addition to materials provided by teachers, students who are studying for upcoming Advanced Placement (AP) exams may find the following resources to be helpful:

• College Board AP Classroom – To access student AP practice assessments and resources
• College Board – Free Resources to Prepare for AP Exams
• Howard County Library System – Via hcpss.me, LearningExpress Library with AP practice exams and study materials
• From hcpss.me, select HC Library and login with HCPSS student credentials
• Students will get a digital card with barcode/PIN
• Select A+ Students under the PIN
• From HCLS website, select Digital Library > Homework & Test Prep then scroll to LearningExpress Library.
• Log in using digital card barcode/PIN
• Scroll to Academic Skills and Test Preparation > College Admission Test Preparation

HCPSS recognizes the challenges many students face preparing for AP exams and apologizes for the added stress. We appreciate your understanding as staff work to ensure all services are safe for use.

Canvas Update, May 8, 2026

Due to continuing issues related to the Instructure/Canvas security breach, HCPSS-user access to Canvas remains turned off.

HCPSS staff are working to get more information from Instructure to ensure all services are confirmed to be safe for use.

Students, parents/guardians and staff should not attempt to access Canvas via a computer browser or mobile application.

Students should follow the directions of their teachers to understand how their teachers may continue providing academic resources. They may provide resources via Google Drive, Microsoft 365 (secondary students, email accounts, OneDrive, and SharePoint), Clever applications, and other services.

Canvas Temporarily Unavailable, May 7, 2026

Due to the recent security breach at Instructure/Canvas and a warning message some users are experiencing when accessing the platform, HCPSS is temporarily removing access to Canvas while the issue is being addressed. During this time, users will be unable to access the system.

Additional information will be shared as it becomes available.

Canvas Security Breach Update, May 6, 2026

This message is to follow up on details shared yesterday about a security breach at Instructure, the vendor for Canvas. Instructure last night informed us that HCPSS was impacted by a criminal threat actor who obtained data associated with the HCPSS Canvas platform. Instructure indicated the data may include personal information, though the specific types of information have not yet been identified. They have also reported no evidence of an ongoing threat.

Instructure has stated there is no indication that passwords, dates of birth, government identifiers, or financial information were involved. Regardless, families should be assured that HCPSS does not store student, parent/guardian, or staff passwords, dates of birth, government identifiers, or financial information in Canvas.

Instructure has notified law enforcement. With the assistance of forensic experts, Instructure is continuing to gather information to help HCPSS better understand the scope and impact of the incident.

Currently, we do not believe that pausing the use of Canvas is necessary. Instructure will continue providing updates to its clients. HCPSS will share additional information as it becomes available.

Possible Canvas Security Breach, May 5, 2026

HCPSS was recently notified that Instructure, the vendor for the Canvas Learning Management System, experienced a security incident in which information such as student or staff names, email addresses, unique system identifiers for users, and internal messages through Canvas at affected institutions may have been accessed.

Per Instructure, there is no evidence that passwords, dates of birth, government identifiers, or financial information were accessed. At this time, there is no indication that HCPSS was affected by the incident.

Instructure continues to provide updates to its clients. Additional information will be shared if it is determined that HCPSS was impacted.