Instructure Discloses Cybersecurity Incident as Canvas Data 2 and Beta Tools Remain Under Maintenance

Instructure, the company behind the Canvas learning management system, has confirmed a cybersecurity incident involving a criminal threat actor. The company says it is investigating the incident with outside forensic experts and has taken steps to reduce its impact.

The incident affects an education technology provider used by schools, universities, and organizations to manage online learning, coursework, assignments, and related student activity. Instructure has not said how the attackers gained access or how many institutions may be affected.

In a May 2 update, Instructure said it believes the incident has been contained. The company also said early findings point to limited user-identifying information, such as names, email addresses, student ID numbers, and messages among users.

What Instructure has confirmed so far

Instructure said it revoked privileged credentials and access tokens linked to affected systems. It also deployed security patches, rotated some keys as a precaution, and increased monitoring across its platforms.

The company said it has found no evidence so far that passwords, dates of birth, government identifiers, or financial information were involved. It added that impacted institutions will be notified if that changes.

The disclosure came through Instructure’s status page, where Chief Information Security Officer Steve Proud said the company will continue sharing updates as the investigation progresses.

At a glance

Detail	Information
Company	Instructure
Main product	Canvas learning management system
Incident type	Cybersecurity incident involving a criminal threat actor
Investigation status	Ongoing with outside forensic experts
Current company view	Incident believed to be contained
Potentially involved data	Names, email addresses, student ID numbers, and messages among users
Not currently found involved	Passwords, dates of birth, government identifiers, or financial information

Canvas Data 2 and Beta tools remain under maintenance

Instructure’s status page also lists Canvas Data 2, Canvas Beta, and Canvas Test as under maintenance. Customers may see limited disruption to tools that rely on API keys.

The company said it reissued certain application keys as a precaution. These reissued keys include timestamps in their names and may appear during user re-authorization.

Instructure told users these are valid Instructure-created keys and that they should continue the authorization process. This matters for schools and vendors that use Canvas integrations, reporting tools, and data pipelines.

Why the API key warning matters

Canvas Data 2 uses client IDs and secrets to let account admins connect tools to Canvas data. If a key changes, affected tools may need users or admins to authorize access again.

That does not automatically mean API keys were misused. Instructure said it rotated certain keys even though it had no evidence they were abused.

Still, administrators should review connected applications, confirm which tools depend on Canvas Data 2, and prepare for re-authorization steps if their environment depends on those integrations.

What schools and admins should check now

• Monitor the Instructure status page for new incident updates.
• Review Canvas Data 2, Canvas Beta, and Canvas Test maintenance notices.
• Identify tools that rely on Canvas API keys or Canvas Data 2 credentials.
• Confirm whether reissued application keys appear during authorization.
• Review recent access-token activity and privileged account changes.
• Tell faculty and staff not to approve unexpected Canvas authorization prompts without checking with IT.
• Prepare communications for students if your institution receives a direct notice from Instructure.

Education technology remains a target

The Instructure incident comes as education technology vendors face growing pressure from cybercriminals. These platforms often store student names, school email addresses, enrollment records, messages, assignments, and other data tied to daily learning activity.

Attackers target this sector because one vendor can serve thousands of schools. A single provider incident can force many districts and universities to review their own exposure, even when their internal systems were not directly breached.

PowerSchool disclosed a separate student information system breach after unauthorized access in late 2024. U.S. prosecutors later said that case involved data from more than 60 million students and 10 million teachers.

The key issue for customers

The biggest open question is the scope of the Instructure incident. Schools need to know which institutions were affected, which systems were accessed, and whether messages or student identifiers require notification under local privacy rules.

Instructure has not confirmed a full victim count or a final list of affected data categories. For now, the company says the investigation is continuing and that it will update institutions as more information becomes available.

Until then, education customers should focus on practical controls: review Canvas integrations, watch for suspicious authorization prompts, prepare help desk guidance, and preserve logs that may help with local impact reviews.

FAQ