Security Incident Update & FAQs

We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.

With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:

• The data was returned to us.
• We received digital confirmation of data destruction (shred logs).
• We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
• This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.

We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. As our investigation draws closer to a conclusion, we also intend to share additional details about the root cause and lessons learned, with the goal of helping the broader education technology community better understand and defend against similar threats. We will continue to provide updates as that work progresses.

We are currently organizing a webinar with Instructure leadership to detail information about the cyber attack and our activities to harden the system. We currently believe it will be on May 13 and will be done in multiple time zones.

• Canvas is fully back online and available for use.
• We have established this incident update page as a central source of information for our customers, students, parents, faculty and staff. We will continue to update this page with the latest information we are able to share.  We will also aim to answer common questions raised by our community.
• We are working with a best-in-class forensic firm, CrowdStrike, to support our team’s forensic analysis of this incident, as well as recommendations to further harden our environment.
• We have also onboarded an additional expert vendor to conduct a comprehensive e-discovery exercise on the data that was involved  so that we can provide customers with further specificity. We do want to set expectations that this comprehensive review is expected to take some weeks to complete.
• FAQ updated and can be found on this page below.

Please continue to reference https://www.instructure.com/incident_update for the latest information from us.

We're actively investigating this matter with outside forensics experts.  We are committed to conducting a rigorous, thorough investigation. We began providing notice to impacted organizations on May 5 and are now verifying customer-specific data through ongoing investigation. When we verify the identities of affected individuals associated with your organization, and the specific data impacted, Instructure will provide that information directly to you. 

If your organization has not heard from us directly, we have not found evidence that your data was involved. Our investigation is ongoing, and if we learn more, we will communicate with your organization directly. 

The data fields involved include information like usernames, email addresses, course names, enrollment information and messages. Core learning data (course content, submissions, credentials) was not compromised. We're still validating all findings, but we want to be clear about what we understand was and wasn't affected.

Based on the investigation to date, we have not found evidence that data was taken during the May 7 activity. The investigation is ongoing, and we'll share more as findings are verified.

Based on the investigation to date, we have not found evidence that data was taken during the May 7 activity. We will continue to share additional confirmed updates as they become available on this Incident Update page.

We're actively investigating this matter with outside forensics experts and are prioritizing conducting a rigorous, thorough investigation. Investigations of this nature take time to complete properly, and we are committed to providing accurate information as quickly as we are able. We expect to provide a customer-specific report or summary when that validation is complete and reporting is finalized. Meanwhile, your CSM and account team remain available as points of contact.

We're actively investigating this matter with outside forensics experts and are prioritizing conducting a rigorous, thorough investigation.  Will share information in response to this question when we have the required information.

We’re currently working to identify a robust list of Indicators of Compromise (IOCs) and will make those available to our customers. 

We've taken several steps in response to the incident. We identified the issue related to Free-For-Teacher accounts and temporarily shut down those accounts. This was a difficult decision because Free-For-Teacher accounts are an important part of our platform, but it was the right step to protect customers and users while we complete additional safeguards. 

We also revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms. We engaged a third-party forensic firm and notified law enforcement.

Beyond the immediate response, we're hardening administrative access, token management, permissions, monitoring, and related workflows. The investigation may inform further improvements. Our published security and compliance materials are available at trust.instructure.com.

As we respond to this incident, we're focused on three things: completing a rigorous investigation, communicating verified information to impacted customers, and continuing to strengthen the safeguards that protect customer and student data. Trust is earned through actions and we’re committed to earning yours.
 

Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.

We understand why this raises serious concern, and we do not take that trust for granted. The prior Salesforce-related incident and this Canvas security incident are distinct events involving different systems and circumstances.. We know trust is earned through actions, and we are focused on completing a rigorous investigation, communicating verified information to impacted customers, and continuing to strengthen the safeguards that protect customer and student data.

Your organization is your first point of contact. They'll share information specific to your situation as we provide it.

In the meantime, it is always a good practice to be cautious of unexpected emails or messages referencing this incident, avoid clicking suspicious links, and report anything unusual to your school or institution’s IT or security team.
 

Instructure is committed to making all applicable legal and regulatory notifications.

Yes, we will support all impacted customers with legal notification obligations. 

We are committed to keeping you updated. This incident hub (https://www.instructure.com/incident_update) will serve as the central source for confirmed updates, customer communications, and updated FAQs about this incident. For service availability and operational updates, please visit status.instructure.com.

If your organization is impacted, we'll communicate directly through your established organization contacts.