Canvas LMS cybersecurity incident

Last updated: 14 May 2026 5.30pm

In May 2026, a known cybersecurity incident affected the Canvas Learning Management System (LMS), impacting thousands of Canvas clients around the world.

Canvas is a global LMS platform used by many universities in Australia and worldwide, including the University of Melbourne.

Following investigations with the vendor, Instructure, and related parties, we confirmed that the University of Melbourne is among the universities affected by this breach.

The University is still working with the vendor to understand the precise nature of the data that has been involved in this incident.

We will endeavour to update this page with as much information as we have. If you have questions related to this incident, please feel free to contact Stop 1.

Staying safe after a cybersecurity event

It’s possible that you may receive attempts to obtain or validate your data, or even ask you to take action such as paying to protect your data.

Do not engage with people who contact you about the data breach and ask for payment, even if you find the request convincing and compelling. A legitimate organisation will not ask for money to keep your data private.

  • Cyber criminals may try to impersonate Canvas, the University of Melbourne, or other official organisations. If you aren’t sure whether communication is genuine, do not engage or provide any personal details.
  • All staff and students should have access to a Report Phishing button in their Outlook inbox. To report an email as suspicious, select the email and click the Report button, or right click on the email and select ReportReport phishing. If you receive messages through any other platform, please forward or send a screenshot to spam-report@unimelb.edu.au.
  • If you do receive such messages, once you have reported them, you may wish to seek support from Safer Community. You can also contact Stop 1 if you are unsure of anything.
  • If you receive an email, text message or phone call asking you to take action related to your studies, use your web browser to visit the University's website directly – do not click on any links in an email or text message.

Please visit our cybersecurity page for further tips to stay cyber safe.

Further information

  • On Wednesday 6 May 2026, Instructure, which operates the Canvas LMS, advised the University that we had been impacted by an unauthorised actor who obtained data associated with our account.

    Instructure advised that the data fields involved appeared to include information like usernames, student email addresses and course names. At that time, they did not find indications that passwords, dates of birth, government identifiers, or financial information were involved.
    The University is still working with Instructure to understand the precise nature of the data that has been involved in this incident.

    On Tuesday 12 May, the Canvas LMS vendor Instructure advised its clients, including the University, that it has reached an agreement with the unauthorised actor involved in the incident. They advised that as part of the agreement, that data was returned to Instructure, they received assurances that it will not be further shared on the dark web or elsewhere, and they received proof that any copies of that data were deleted.

  • The Australian Government advises:

    Never pay a ransom. There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack.

    Further advice from the Australian National Office of Cybersecurity (NOCS):

    Cybercriminals cannot be trusted. Making a ransomware payment does not guarantee sensitive data will be recovered, nor prevent it from being sold or leaked online. It also does not guarantee the impacted entity will not be subject to additional cyber attacks. The Australian Government does not recommend anyone pay a ransom.

  • While we haven’t yet had confirmation of what data has been accessed, we would like to provide some reassurance about the kind of personal data that is entered and stored in the LMS system by the University. This includes first name, last name, University username, University email address, and student ID of a student. For staff users, employee ID is not entered. Student information like date of birth, government identifiers, or financial information is not requested or required to be entered or stored in the LMS by the University.

    At this time, the University has not identified any need to reissue student numbers. Your student number is created by the University as a way to identify you and link your records between systems. It may have been reported to various government bodies and services, depending on your circumstances. However, your student number is not used as a personal identification number (PIN) or form of government identification.

    The University has therefore assessed that there is no additional risk to your privacy or personal information as a consequence of your student number potentially being shared. We have strengthened our verification processes in instances where we are seeking students to verify their identity to access support or services, through StudentIT and Stop 1 channels.

  • We understand that some students and staff may have concerns about the use of third-party, cloud-based platforms.

    We regularly review our systems to ensure they are fit for purpose and secure. We are also undertaking additional work to review the cybersecurity measures that we have in place with other third-party technology providers.

    What we’re doing to ensure the security of our platforms

    The University is satisfied that Canvas LMS is currently safe to use. Actions that we have taken to date include:

    • Checked that all the systems interacting with Canvas LMS are secure, by reviewing system configurations to ensure security and stability of interconnected systems
    • Put in place additional monitoring for cyber-attacks, anomalies, and indicators of compromise across the entire University environment
    • Proactively rotated or invalidated all relevant system keys, tokens, sessions, and credentials to ensure the unauthorised actor cannot access any other platforms
    • Put our automated email security systems on heightened alert for suspicious emails or phishing emails
    • Tagged all emails from external senders with a warning banner, advising people to be alert for phishing emails related to the Canvas LMS incident
    • Monitoring known sites and the dark web for indications of data leak
    • Monitoring threat intelligence from the Australian Cyber Security Centre, the Australian Higher Education Cybersecurity Service and other technical partners
    • Undertaking extensive contingency planning in case of any further impacts on the availability of Canvas LMS.

    The University continues to work with the Department of Home Affairs which is coordinating activities across the Australian Federal Police, Office of the Australian Information Commissioner, other relevant government agencies and the impacted Australian educational institutions to ensure timely responses to this incident.

    The University takes privacy, cybersecurity and the protection of personal information seriously and invests significantly in safeguarding our systems and platforms from unauthorised actors. However, we need everyone to play a part in protecting our systems by following good cybersecurity practices, reporting suspicious activity and being the first line of defence against cyber-attacks. To learn more, visit our cybersecurity webpage.

  • When using online platforms, it’s important to be mindful that some level of risk is always present, even where security controls and encryption are in place.

    If you need to provide personal information or documentation (such as a medical certificate) for Special Consideration, please apply through the online Special Consideration form. Do not send confidential documents via Canvas messages or other channels.

    If you need confidential advice regarding your studies, contact Stop 1

  • We will endeavour to update this page with as much information as we have. If you have questions related to this incident, please feel free to contact Stop 1 (for students) or Service Centre (for Staff).

    If you have significant and urgent safety concerns relating to your personal information that you may have shared, particularly if this has any legal implications related to your personal circumstances (e.g. domestic and family violence, court orders) please contact Safer Community for confidential support.

Past updates on Canvas LMS incident

  • The Canvas Learning Management System (LMS) is now available to students and staff again following an outage.

    Throughout this incident, the safety and protection of our students, staff and their data have been our top priority. Following user testing, we are satisfied that the platform is currently safe and stable. The vendor has also now provided this assurance.

    Course materials and assessments

    Students and staff can now log in to Canvas Learning Management System (LMS).

    Any adjustments to assessments due between Friday 8 and Sunday 10 May, which have already been communicated by subject coordinators, will be updated in the LMS as soon as possible.

    Students may still see assessment information in the LMS that predates the outage period and has not yet been updated to reflect communicated extensions. We kindly request that students allow time for updates to be made.

    Subject coordinators will communicate any adjustments to deadlines for assessments due in the week following the outage.

    Students who believe their studies or assessments have been impacted by this outage despite accommodations made at the subject level, can apply for Special Consideration.

    .

  • The University is aware that Canvas LMS is currently unavailable.

    We are working with the vendor to resolve its availability. This is a global outage.

    If you are a University of Melbourne student, please be assured that any assessments due for submission today or over the weekend through the LMS will have the submission deadline extended. Your subject coordinator will communicate with you by email when further details are confirmed. You do not need to try to make arrangements personally.

    Please allow time for arrangements to be made. Thank you for your patience and understanding.

  • A known cybersecurity incident is affecting Canvas Learning Management System (LMS) that has impacted thousands of Canvas clients globally.

    Canvas is a global LMS platform used by many universities in Australia and worldwide, including the University of Melbourne.

    The vendor has advised that some University of Melbourne data has been involved in this breach.

    What this means for our students and staff

    We understand this may be concerning for our students and staff, and we are sorry for any stress that this has caused.

    We are working with the vendor and relevant authorities to understand the extent of the data breach and how this occurred.

    What you can do now

    Please continue to practice good cybersecurity. Helpful tips are available on our cybersecurity pages.

    You do not need to take any further action at this stage.

    What next

    We will update this webpage with new information as it becomes available.

    If you have questions, contact Stop 1 in the first instance.

    You may also wish to access our student support services.