The University of Utah was notified on May 2 of a nationwide cybersecurity incident involving Instructure, the provider of the Canvas learning management system.

The university was among 9,000 public K-12 and higher education institutions around the world impacted when hackers were able to access Canvas databases on April 29 and May 7, 2026. Instructure reports that the issue has been resolved, and Canvas is fully operational, with no evidence of ongoing unauthorized access.

The university takes this matter seriously and is working closely with Instructure as they coordinate with law enforcement and third-party forensic experts to determine the full scope of the impact. Follow updates from UIT and Instructure at the company’s status page.

The data involved appears to be limited to personal information typically found in the campus directory—such as names, email addresses and student identification numbers. Instructure indicated it is possible that communications contained within the Canvas platform may have been impacted in the incident; it has found no evidence that passwords, financial records, government identifiers or dates of birth were compromised.

University of Utah systems were not breached.

Instructure has implemented enhanced security measures in Canvas, and the system is operational in advance of summer semester classes, which start on May 11.
UIT continues to follow best practices by:

• Coordinating the response between IT security and our LMS team
• Monitoring for phishing or unusual Canvas-related communications
• Reviewing authentication and token management for Canvas integrations
• Preparing internal communications in case of further updates

To protect your data, take the following actions immediately:

• People who experienced unexpected pop-ups or page changes in Canvas should change their university password as a precaution. Access password reset instructions in the U’s IT Knowledge Base (login required).
• In general, avoid reusing passwords, and stay alert for unusual activity, such as unsolicited Duo Mobile approval requests.

UIT will continue to monitor the situation, including updates from Instructure, and communicate new actionable information as needed. Read more about how to protect your online data and avoid phishing scams after a data breach.

The Utah System of Higher Education is also monitoring the incident response and posted an FAQ on May 8.