Instructure, the company behind Canvas, one of the world’s most used learning management systems, has been dealing with a cybersecurity incident. The developer is currently investigating the impact of the incident.
-
Hackers breached Canvas, exposing student data.
-
Personal info accessed, but passwords not affected.
-
Incident now contained after security measures.
-
Education platforms increasingly targeted by attackers.
“Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor. We are actively investigating this incident with the help of outside forensics experts,” Steve Proud, Chief Information Security Officer (CISO) at Instructure, said in a press release.
“We are working quickly to understand the extent of the incident and actively taking steps to minimize its impact. Maintaining your trust is our highest priority, and we are committed to transparency throughout this process.”
To reduce the impact of the incident, Instructure has revoked privileged credentials and access tokens associated with affected systems. Additionally, patches have been deployed to enhance system security.
Furthermore, monitoring across all platforms has been increased. And lastly, out of caution, certain keys have been reissued, even though there was no evidence they were misused. This requires end users to re-authorize access to those tools.
According to Instructure’s initial findings, attackers may have viewed or exfiltrated certain user-identifying information, including full names, email addresses, student ID numbers, and messages.
The learning management systems developer says there’s no evidence that passwords, dates of birth, government identifiers, or financial information were exposed.
“If that changes, we will notify any impacted institutions,” Instructure promises.
Has your password leaked?
On Saturday, Proud claimed that the incident had been contained.
“Thank you for your patience as we work to resolve this matter. We sincerely regret any inconvenience or concern this may cause. We will continue to keep you apprised as our investigation progresses,” he concluded.
Hackers are increasingly targeting developers of educational software because they hold vast amounts of personal information of students and teachers.
In January 2025, PowerSchool disclosed that it was being extorted by a threat actor who claimed to have stolen personally identifiable information of millions of students. A 19-year-old college student from Massachusetts was sentenced to four years in prison for his role in the ransomware attack.
In March 2026, Infinite Campus confirmed that a threat actor targeted the company’s Salesforce instance, which consisted of names and contact information for school staff members.
Is Canvas free?
Canvas is not free - educational institutions pay licensing fees ranging from thousands to hundreds of thousands of dollars annually depending on their size. However, students and teachers at schools with Canvas licenses can access it at no personal cost.
How does Canvas work?
Canvas is a cloud-based learning management system (LMS) that serves as a central hub for online education. Schools license the platform, then teachers create course pages where they can post assignments, syllabi, announcements, grades, and learning materials, while students log in to access coursework, submit assignments, participate in discussions, take quizzes, check grades, and communicate with instructors and classmates. User can do it via web browser or mobile app.
Is Canvas owned by Amazon?
Canvas is owned by Instructure, which is currently owned by KKR, a private equity firm that acquired the company for $4.8 billion. Canvas is hosted on Amazon Web Services (AWS) - Amazon's cloud infrastructure - but that doesn't mean Amazon owns the product.
FAQ by nexos.ai, reviewed by Cybernews staff.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked