Canvas (Instructure) Security Incident: Frequently Asked Questions

Last updated: May 8, 2026

Holy Family University is providing this page to share information about the recent security incident affecting Instructure, the parent company of Canvas, which is Holy Family’s online learning platform. We will update this page as new information becomes available.

If you have a question that is not answered here, please contact the IT Help Desk or email canvasconcerns@holyfamily.edu.

What happened?
Beginning the week of April 30, 2026, Instructure publicly disclosed that an outside party gained unauthorized access to portions of the Canvas system. The incident affected a large number of educational institutions worldwide. A second event occurred on May 7, in which an unauthorized party temporarily altered the pages displayed to logged-in Canvas users at certain institutions, including Holy Family. Instructure took Canvas offline briefly to contain the incident and restored full service the same evening.

Was Holy Family University affected?
Yes, in part. Holy Family received written communication from Instructure’s Chief Executive Officer on May 8 confirming that Holy Family was among the institutions where Canvas pages were briefly altered on May 7. Instructure has stated, based on the work of its independent forensics partner, that it has found no evidence that Holy Family accounts, credentials, or additional data were compromised in connection with that event. Holy Family’s status with respect to the broader data event from earlier in the week has not been explicitly confirmed by Instructure, and we have requested clarification on that question. We will update this page when we know more.

Was my information stolen?
Based on what Instructure has told us, there is no evidence that Holy Family student, faculty, or staff accounts, passwords, or additional data were compromised in connection with the May 7 incident affecting our institution. Instructure has stated more broadly that, where data was accessed in the larger incident, the categories involved include names, institutional email addresses, student ID numbers, and the contents of certain messages exchanged through Canvas. Instructure has stated that there is no evidence that passwords, dates of birth, government identifiers, or financial information were involved in any aspect of the incident. We will update this page if Instructure’s findings change.

Is Canvas safe to use now?
Yes. Canvas is fully back online and operational. Instructure has taken steps to contain the incident and address the underlying issue, and Holy Family’s IT and Cybersecurity teams have taken precautionary measures within our environment. Students and faculty should continue to use Canvas for coursework as normal.

Do I need to change my password?
You do not need to change your Holy Family password specifically because of this incident. As a general practice, however, we encourage all members of the Holy Family community to use a unique password for their Holy Family account that is not used for any personal accounts. If you have been using your Holy Family password on other websites or services, please change those personal account passwords. This is the single most effective protection available to anyone.

What should I watch out for?
The most realistic risk in the coming weeks is targeted phishing attempts that may reference real courses, real instructors, or real Holy Family information in ways that look convincing. We encourage everyone to be cautious of unexpected emails asking you to log in to Canvas or other accounts, of phone calls or text messages from people claiming to be from Holy Family IT or technical support, and of any message that creates pressure to act quickly. If something feels off, trust that instinct, and forward it to cyberops@holyfamily.edu or the IT Help Desk.

Holy Family will never ask you for your password or verification codes by email, phone, or text. Anyone who does is not from Holy Family.

What is Holy Family doing about this?
Upon learning of the incident, Holy Family’s IT and Cybersecurity teams took precautionary measures within our environment, including credential rotation, integration review, and forced re-authentication for Canvas users. We have communicated directly with students, faculty, staff, and families. We are in active contact with Instructure and have requested institution-specific information about Holy Family’s status. We are also taking measures consistent with standard practice for incidents of this nature. We are continuing to monitor Holy Family’s environment for unusual activity.

How will I be notified if there are updates?
Updates will be posted to this page as they become available. If new information requires direct action by members of the Holy Family community, we will communicate directly with the appropriate audiences by email. Please continue to check your Holy Family email for communications, and please continue to be cautious of any email referencing this incident that does not come from a verified Holy Family address.

Should I be worried?
We understand that news coverage of this incident has been concerning. Based on what Holy Family has been told by Instructure to date, we have no information indicating that Holy Family accounts, credentials, or data have been compromised. The most useful thing any member of our community can do is to stay alert to phishing and scam attempts in the coming weeks, to use unique passwords for Holy Family accounts, and to report anything suspicious. We will share further information as it becomes available.

Who can I contact with questions?
For technical questions or to report suspicious activity, please contact the IT Help Desk or email canvasconcerns@holyfamily.edu. For other questions, please reach out to the office that ordinarily handles your relationship with the University, if for current students and their families, the Dean of Students; for faculty and staff, your supervisor or department chair; for general inquiries, the Office of Communications.