Instructure, the company behind the widely-used Canvas learning management system, has disclosed a cybersecurity incident currently under active investigation. According to Steve Proud, the company’s Chief Security Officer, the breach was perpetrated by a criminal threat actor. Outside forensics experts have been engaged to assess the scope and impact.
As of May 1, several Instructure services — including Canvas Data 2 and Canvas Beta — were undergoing maintenance, and customers relying on API keys were warned they may experience disruptions. Instructure has not confirmed whether this maintenance is directly linked to the security incident.
This incident follows a separate breach in September 2025, where Instructure disclosed a social engineering attack that compromised data in its Salesforce instance. The threat actor group ShinyHunters claimed responsibility for that earlier breach.
Education technology firms continue to be prime targets for cybercriminals due to the vast amounts of sensitive personal data they manage for students, teachers, and institutions. The Canvas platform alone serves thousands of schools and universities worldwide, making any compromise potentially far-reaching.
Affected institutions should monitor official communications from Instructure for updates on service restoration and any recommended security measures.
Source: BleepingComputer
