A recent cybersecurity incident involving Canvas resulted in unauthorized access to Caltech's Canvas data. According to Instructure, the exposed data may include names, email addresses, usernames, course enrollments, section/group memberships, and messages.
Because this information may be used for targeted phishing, all Canvas users should remain vigilant and follow the guidance below.
Accessing Canvas Safely
Always access Canvas through https://access.caltech.edu/. Do NOT click links embedded in email notifications.
Recognizing Official Canvas Communications
- Official global Canvas emails are sent from Caltech Canvas Notifications ([email protected]).
- Course-related messages use the same sender, with the course name as the display name (for example, Sandbox for M.E. at [email protected]).
- If you are unsure whether an email is legitimate, forward it to [email protected] for review.
Managing Third-Party Access Tokens
To reduce risk to integrated tools (e.g., Analytics, Gradescope, Zoom), remove existing access tokens:
- Open Account (profile icon in Canvas navigation).
- Select Settings (or visit: https://caltech.instructure.com/profile/settings).
- Scroll to Approved Integrations.
- Delete tokens using the trash icon.
- New tokens will be generated automatically when needed.
For more information:
- Policy on access tokens: https://canvas.caltech.edu/canvas-resources/api-tokens
- Incident details: https://www.imss.caltech.edu/
If you have questions or concerns, please contact us (626.395.3500, [email protected] or https://servicenow.caltech.edu).
– The Canvas at Caltech Team