Fresno State warns students of Canvas vendor cybersecurity incident

Fresno State warned students to watch closely for suspicious emails and account activity after a Canvas vendor breach may have exposed names, email addresses, student ID numbers and messages tied to campus accounts. The university said there is no indication passwords, dates of birth, government-issued identification numbers or financial information were involved.

Dr. Bao Johri, Fresno State’s vice president for information technology and chief information officer, sent the campus-wide email Tuesday afternoon. The university said it learned that Instructure, the company behind Canvas, had been targeted in a vendor-driven cybersecurity incident, meaning the exposure did not stem from Fresno State’s internal network but from a third-party platform woven into daily campus use.

That matters because Canvas is not an obscure back-office tool. Fresno State describes it as the university’s learning management system for courses, assignments, discussions, grades, calendars, notifications and messages. A breach in that system can touch the same account details students use to submit work, check grades and communicate with instructors.

Instructure disclosed the incident on May 1 and said it was investigating with outside forensics experts. By May 6, its status page said the event had been contained, Canvas was fully operational and there was no ongoing unauthorized activity. Instructure also said the exposed data appeared to include certain identifying information of users at affected institutions, including names, email addresses, student ID numbers and messages among users. The company said it found no evidence that passwords, dates of birth, government identifiers or financial information were involved.

Fresno State has not publicly quantified how many students or records may have been affected, and the exact scope of the university’s exposure remains under investigation. That leaves an immediate gap between what has been confirmed and what still has to be counted, especially for current and former students whose Fresno State messages or account information may have been part of the incident.

The Fresno State case fits a broader pattern across higher education, where universities increasingly depend on cloud-based vendors that hold large amounts of student data. PowerSchool disclosed a January 2025 breach affecting 62 million students, and Instructure previously said it dealt with a separate breach in September 2025 involving its Salesforce instance. ShinyHunters claimed responsibility for the newest Instructure breach and said it had a list of about 8,800 schools allegedly affected, along with a claim that 275 million people were involved, though that figure has not been independently verified.

For Fresno State, the key questions now are how many people were exposed, what exact data fields were touched and whether the university will offer monitoring or other support if the exposure is confirmed. The incident has already turned a routine campus learning system into a test of trust.