Security Incident Update & FAQs

In the spirit of continued transparency, we have refreshed our incident update page, which will continue to serve as the central repository for new information, resources, and ongoing communications related to this incident. Our goal is to continue to be responsive to the feedback we receive and refine our communications approach as we move forward.

To better support the many people who rely on our products every day, we have organized the Incident Update page by stakeholder group: customers, faculty, and students and families. Each section is designed to provide tailored information and relevant resources specific to the needs and concerns of that audience, making it easier to find the information most meaningful to you. These pages include specific FAQs tailored to our stakeholders, and downloadable resources that we hope provide greater clarity on what has happened to date, and our plans moving forward.

Going forward, we encourage you to refer to your designated incident page for the latest updates and information relevant to you. We will continue to update these pages with additional resources as more information becomes available.

Some questions have come in related to the potential impact on our Parchment product. We want to confirm that our Parchment product was not affected by the recent cybersecurity incident involving our Canvas platform. We have seen no evidence of lateral movement or unauthorized activity from Canvas to Parchment or any other Instructure products, and Parchment servers are distinct from those that support Canvas. Nevertheless, to provide additional confidence in our initial findings, we scanned the Parchment product for all known Indicators of Compromise associated with the actor responsible for the Canvas incident and found no indication of any unauthorized access.

As part of our response, we have rolled out CrowdStrike’s Falcon Endpoint Detection & Response tool across the Instructure network to provide 24/7 monitoring capabilities. CrowdStrike’s Falcon tool has not detected any ongoing unauthorized access to any Instructure product, including Parchment. Further, our forensic partners at CrowdStrike have found no evidence of system-layer access to Instructure systems that would facilitate any unauthorized activity beyond the Canvas platform. Nevertheless, we are continuing eyes-on glass, hands-on-keyboard monitoring of our environment as an additional layer of assurance.

All of the evidence outlined above underscores our firm belief that Parchment was not involved in this incident. As always, we appreciate your continued trust and support.

We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.

With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:

• The data was returned to us.
• We received digital confirmation of data destruction (shred logs).
• We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
• This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.

We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. As our investigation draws closer to a conclusion, we also intend to share additional details about the root cause and lessons learned, with the goal of helping the broader education technology community better understand and defend against similar threats. We will continue to provide updates as that work progresses.

We are currently organizing a webinar with Instructure leadership to detail information about the cyber attack and our activities to harden the system. We currently believe it will be on May 13 and will be done in multiple time zones.

• Canvas is fully back online and available for use.
• We have established this incident update page as a central source of information for our customers, students, parents, faculty and staff. We will continue to update this page with the latest information we are able to share.  We will also aim to answer common questions raised by our community.
• We are working with a best-in-class forensic firm, CrowdStrike, to support our team’s forensic analysis of this incident, as well as recommendations to further harden our environment.
• We have also onboarded an additional expert vendor to conduct a comprehensive e-discovery exercise on the data that was involved  so that we can provide customers with further specificity. We do want to set expectations that this comprehensive review is expected to take some weeks to complete.
• FAQ updated and can be found on this page below.

Please continue to reference https://www.instructure.com/incident_update for the latest information from us.

To our Instructure community,

I'll start where I should: with an apology.

Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that.

Here's what we know.

This incident involved unauthorized access to part of our environment. The data fields involved include information like usernames, email addresses, course names, enrollment information and messages. Core learning data (course content, submissions, credentials) was not compromised. We're still validating all findings, but we want to be clear about what we understand was and wasn't affected.

We also identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited. We temporarily disabled Free for Teacher while we complete a full security review. We know that's disruptive, and we didn't make that call lightly. But keeping the entire Canvas platform secure has to come first.

Last week, we made a call to get the facts right before speaking publicly. That instinct isn't wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You've been clear about that, and it's fair feedback. We will change that moving forward.

So here's what we're changing.

We've launched a dedicated Incident Update page, a single place with what we know, what we're doing, and what's next. We'll post another update within 48 hours and we're working on delivering a summary of the forensics report, which we'll share as soon as it's ready.

Two things you can count on right now:

• Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised.
• We'll give you clear guidance if any action is required on your end. Right now, there's nothing you need to do.

Keep reaching out to your Customer Success teams and through our Community channels. Your feedback is shaping how we respond.

Rebuilding trust takes time. We're going to earn it back through consistent action and honest communication. We're in this for you and your community.

Thank you for your patience and for everything you do for learners.

Steve Daly CEO, Instructure

On April 29, 2026, we detected unauthorized activity in Canvas. We immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts.

On May 7, 2026, the same threat actor gained additional access through a second Canvas vulnerability. The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas. Out of caution, we temporarily took Canvas offline into maintenance mode to contain the activity, investigate, and apply additional safeguards. Due to monitoring that we implemented after the first attack, we detected and disabled the second attack approximately 10 minutes after it began. No additional data was accessed or exfiltrated in this second attack, but we chose to put Canvas into maintenance mode until we could verify both the scope of the attack and that the attackers’ access was fully closed.

We have since confirmed that the unauthorized actor carried out this activity in both instances using one of our Free-For-Teacher accounts. As a result, we have made the decision to temporarily shut down that product. We know that many educators rely on Free-For-Teacher, and so we are also working on solutions that will allow us to bring it back online without exposing the rest of the Canvas community to undue risk. 

In the meantime, Canvas is fully back online and available for use.

At this time, we are not recommending broad new customer-side remediation solely based on the May 7 activity unless we communicate directly that specific action is required for your environment. We have confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts, and we have temporarily shut down Free-For-Teacher accounts as a result. We recommend that customers continue normal monitoring of their Canvas environments, integrations, and administrative activity.

Yes. Canvas is fully back online and available for use. Our external forensic partner has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform.

We have blocked the unauthorized access, remediated the vulnerabilities and privilege escalation paths used, and importantly, our engineering teams have been working around the clock to harden our environment, enhance monitoring, and make sure that Canvas is safe for students and teachers to use

We do not have any evidence that any other products were affected by either incident. Our servers that support Canvas are separate from our other systems, and we have not detected any lateral movement from Canvas to other Instructure products.