Security Incident Update & FAQs

Letter from Steve Daly to Customers

To our Instructure community, 

Two weeks ago, I wrote to you with an apology and a promise. I want to follow up today on both. 

You asked for details, and we’ve been working to get them to you through one-on-one conversations, webinars, or the Incident Update Page. Our commitment to learning from this experience will not waiver, whether that’s two weeks, two months, or two years. 

One of the most important things you’ve made clear is that Canvas is critical infrastructure, and when something disrupts that (especially at the end of the semester), the ripple effects are enormous.   Honestly, we knew this at some level, but going through this has made it real in a way it wasn’t before. For learners, their families, and educators, it’s how effective teaching happens, how institutions operate smoothly, and how learning gets documented and delivered to the student. It’s a huge responsibility, one that we cannot take lightly.

As the leader in this space, our responsibility goes beyond a 'lessons learned' session or our own remediation. We have an obligation to help make the industry stronger.

The threats facing academic institutions and education technology providers aren’t going away. No single platform can build a resilient ecosystem alone, but I believe we can as a community. We’re already in conversations with government leaders, technology and integration partners, and institutions about how we can collectively build something stronger, together. As part of that, we are organizing an Advisory Board focused on security and resilience, led by our Chief Academic Officer, Melissa Loble.  The goals are to develop a clear playbook for how we collectively secure our environments and, should something happen that affects system availability, have a redundant ecosystem that our community can rely on.  We don’t have to work on these challenges alone, together we can build an ecosystem that learners and their families can have confidence in. 

We don’t have all the answers yet, but I am confident that something good will come out of this incident. If your institution wants to be part of that conversation, we want to hear from you and sincerely appreciate your support.

We also want to acknowledge that our initial response during this incident added to what was already a challenging situation, and for that, we are truly sorry. We’re doing a comprehensive review of how we respond to any event that affects availability, because we understand how much that matters.  We will consult and update you on the changes resulting from that analysis.

Before I close, we’re now doing the detailed data breakdown, taking the broader field findings we shared earlier this week and parsing them by institution.  While we don’t know how long this work will take, it will be measured in weeks and months, not days. Conducting our data analysis with speed is the primary goal, but of course, accuracy is equally important to us. We will continue to keep our Incident page updated with the latest. 

Finally, I want to thank you for the grace you’ve shown us over the past two weeks. It says a lot about who you are as a community, a community we are so very grateful to be a part of!

Steve Daly, CEO, Instructure

We know that concerns around the scope and nature of data involved remain top of mind for many of our customers. We continue to work diligently with leading forensic experts to complete our analysis, and these efforts remain ongoing.

To support our affected customers, we will be providing Canvas Administrators with preliminary findings about the data fields that were exfiltrated. Instructions for how to access this information will be provided directly to Canvas account administrators. We are hopeful that these preliminary findings represent an important first step in providing the specifics related to data involved that we know our customers – and community – are eagerly awaiting. As always, customers’ Instructure point of contact will be available to support with questions, provide general background information, address business continuity concerns, and support day-to-day needs.

In the spirit of continued transparency, we have refreshed our incident update page, which will continue to serve as the central repository for new information, resources, and ongoing communications related to this incident. Our goal is to continue to be responsive to the feedback we receive and refine our communications approach as we move forward.

To better support the many people who rely on our products every day, we have organized the Incident Update page by stakeholder group: customers, faculty, and students and families. Each section is designed to provide tailored information and relevant resources specific to the needs and concerns of that audience, making it easier to find the information most meaningful to you. These pages include specific FAQs tailored to our stakeholders, and downloadable resources that we hope provide greater clarity on what has happened to date, and our plans moving forward.

Going forward, we encourage you to refer to your designated incident page for the latest updates and information relevant to you. We will continue to update these pages with additional resources as more information becomes available.

Some questions have come in related to the potential impact on our Parchment product. We want to confirm that our Parchment product was not affected by the recent cybersecurity incident involving our Canvas platform. We have seen no evidence of lateral movement or unauthorized activity from Canvas to Parchment or any other Instructure products, and Parchment servers are distinct from those that support Canvas. Nevertheless, to provide additional confidence in our initial findings, we scanned the Parchment product for all known Indicators of Compromise associated with the actor responsible for the Canvas incident and found no indication of any unauthorized access.

As part of our response, we have rolled out CrowdStrike’s Falcon Endpoint Detection & Response tool across the Instructure network to provide 24/7 monitoring capabilities. CrowdStrike’s Falcon tool has not detected any ongoing unauthorized access to any Instructure product, including Parchment. Further, our forensic partners at CrowdStrike have found no evidence of system-layer access to Instructure systems that would facilitate any unauthorized activity beyond the Canvas platform. Nevertheless, we are continuing eyes-on glass, hands-on-keyboard monitoring of our environment as an additional layer of assurance.

All of the evidence outlined above underscores our firm belief that Parchment was not involved in this incident. As always, we appreciate your continued trust and support.

We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.

With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:

• The data was returned to us.
• We received digital confirmation of data destruction (shred logs).
• We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
• This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.

We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. As our investigation draws closer to a conclusion, we also intend to share additional details about the root cause and lessons learned, with the goal of helping the broader education technology community better understand and defend against similar threats. We will continue to provide updates as that work progresses.

We are currently organizing a webinar with Instructure leadership to detail information about the cyber attack and our activities to harden the system. We currently believe it will be on May 13 and will be done in multiple time zones.

• Canvas is fully back online and available for use.
• We have established this incident update page as a central source of information for our customers, students, parents, faculty and staff. We will continue to update this page with the latest information we are able to share.  We will also aim to answer common questions raised by our community.
• We are working with a best-in-class forensic firm, CrowdStrike, to support our team’s forensic analysis of this incident, as well as recommendations to further harden our environment.
• We have also onboarded an additional expert vendor to conduct a comprehensive e-discovery exercise on the data that was involved  so that we can provide customers with further specificity. We do want to set expectations that this comprehensive review is expected to take some weeks to complete.
• FAQ updated and can be found on this page below.

Please continue to reference https://www.instructure.com/incident_update for the latest information from us.

To our Instructure community,

I'll start where I should: with an apology.

Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that.

Here's what we know.

This incident involved unauthorized access to part of our environment. The data fields involved include information like usernames, email addresses, course names, enrollment information and messages. Core learning data (course content, submissions, credentials) was not compromised. We're still validating all findings, but we want to be clear about what we understand was and wasn't affected.

We also identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited. We temporarily disabled Free for Teacher while we complete a full security review. We know that's disruptive, and we didn't make that call lightly. But keeping the entire Canvas platform secure has to come first.

Last week, we made a call to get the facts right before speaking publicly. That instinct isn't wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You've been clear about that, and it's fair feedback. We will change that moving forward.

So here's what we're changing.

We've launched a dedicated Incident Update page, a single place with what we know, what we're doing, and what's next. We'll post another update within 48 hours and we're working on delivering a summary of the forensics report, which we'll share as soon as it's ready.

Two things you can count on right now:

• Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised.
• We'll give you clear guidance if any action is required on your end. Right now, there's nothing you need to do.

Keep reaching out to your Customer Success teams and through our Community channels. Your feedback is shaping how we respond.

Rebuilding trust takes time. We're going to earn it back through consistent action and honest communication. We're in this for you and your community.

Thank you for your patience and for everything you do for learners.

Steve Daly CEO, Instructure

On April 29, 2026, we detected unauthorized activity in Canvas. We immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts.

On May 7, 2026, the same threat actor gained additional access through a second Canvas vulnerability. The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas. Out of caution, we temporarily took Canvas offline into maintenance mode to contain the activity, investigate, and apply additional safeguards. Due to monitoring that we implemented after the first attack, we detected and disabled the second attack approximately 10 minutes after it began. No additional data was accessed or exfiltrated in this second attack, but we chose to put Canvas into maintenance mode until we could verify both the scope of the attack and that the attackers’ access was fully closed.

We have since confirmed that the unauthorized actor carried out this activity in both instances using one of our Free-For-Teacher accounts.

As a result, Canvas Free-for-Teacher was taken offline. We are in touch with Free-for-Teacher users directly with next steps regarding their use of Canvas. 

In the meantime, Canvas continues to be fully back online and available for use

At this time, we are not recommending broad new customer-side remediation solely based on the May 7 activity unless we communicate directly that specific action is required for your environment. We have confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts, and we shut down that product as a result. We are in touch with Free-for-Teacher users directly with next steps regarding their use of Canvas. We recommend that all customers continue normal monitoring of their Canvas environments, integrations, and administrative activity.

Yes. Canvas is fully back online and available for use. Our external forensic partner has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform.

We have blocked the unauthorized access, remediated the vulnerabilities and privilege escalation paths used, and importantly, our engineering teams have been working around the clock to harden our environment, enhance monitoring, and make sure that Canvas is safe for students and teachers to use

We do not have any evidence that any other products were affected by either incident. Our servers that support Canvas are separate from our other systems, and we have not detected any lateral movement from Canvas to other Instructure products.