Skip to content
English
Visit our website
  • There are no suggestions because the search field is empty.

Instructure / Canvas Cybersecurity Incident Advisory.

Summary

Instructure first disclosed the incident on 1 May 2026 and confirmed on 2 May 2026 that, working with outside forensic experts, it believed the incident had been contained. Instructure stated that it had revoked privileged credentials and access tokens linked to the affected systems, deployed security patches, rotated certain keys as a precaution, and implemented increased monitoring.

On 6 May 2026, Instructure declared the incident resolved, with Canvas fully operational and no ongoing unauthorized activity observed. Instructure has stated that further communications are taking place directly with impacted customers.

Reported data exposure

Instructure has stated that the exposed data appears to consist of certain identifying information of users at affected institutions, including:

  • Names
  • Email addresses
  • Student ID numbers
  • Messages among users

Instructure has stated that it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.

The ransomware group ShinyHunters has claimed responsibility and alleged the theft of a much larger dataset. These figures are threat-actor claims and have not been independently verified.

Potential impact

Your organization may be exposed in several ways:

  • Directly, if you operate a Canvas tenant for academic, corporate training, certification, or partner-onboarding purposes.
  • Indirectly, if you rely on a third-party training provider that uses Canvas.
  • Through your workforce, if employees or family members hold Canvas accounts via affiliated educational institutions.

Organizations should also consider whether the incident creates any obligations under FERPA, U.S. state breach-notification laws, or equivalent frameworks where applicable.

Recommended actions

Organizations that may use Canvas / Instructure should consider the following actions:

  1. Determine whether your organization operates a Canvas tenant, or appears on the affected-institutions list, and request tenant-specific impact confirmation from Instructure.
  2. Implement Instructure’s recommended security best practices: enforce MFA on privileged accounts, review admin access, and rotate API tokens or keys where applicable.
  3. Extend rotation to developer keys, LTI integrations, and any service-account credentials linked to the Canvas tenant.
  4. Review SSO/OAuth federation logs for anomalous activity and confirm MFA is enforced on administrator accounts.
  5. Issue clear phishing-awareness communications to students, parents, staff, or employees as relevant, with specific language about Canvas, university, and school-district impersonation through and beyond the 12 May 2026 deadline.
  6. Configure email gateways to flag external messages referencing Canvas, Instructure, or affected institutions for elevated scrutiny.
  7. Engage data-protection officers and legal counsel to assess notification obligations under applicable regulatory frameworks.
  8. Increase SIEM monitoring for anomalous Canvas authentication, mass-download, and API-enumeration activity.
  9. Review third-party risk assessments for EdTech and LMS suppliers, given the cluster of recent ShinyHunters activity against the sector, including Instructure, PowerSchool, Infinite Campus, and McGraw Hill.
  10. Preserve Canvas authentication and access logs you control, in case forensic correlation is required.

KYND guidance

KYND recommends that organizations take action and maintain heightened vigilance as the situation develops. Where a member organization appears potentially relevant to this incident, tenant-specific confirmation should be sought from Instructure or through the organization’s own internal review.