[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffv9sf44jqiUsloOGOs46Cx4wrUviCxRSGY-q0NbSdIE":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":30},"2bb15b13-4976-4d9d-8ea2-c3e716c020e5","Security Incident Update & FAQs","security-incident-update-faqs-5fe463",null,"Instructure detected unauthorized activity in Canvas LMS on April 29, 2026, and again on May 7, 2026, both exploiting a vulnerability in Free-For-Teacher accounts. The threat actor accessed and modified student and teacher pages, prompting Instructure to take Canvas offline temporarily, revoke credentials, and shut down Free-For-Teacher accounts. Exposed data includes names, email addresses, student ID numbers, and Canvas messages; passwords, dates of birth, government IDs, and financial information were not compromised.","Instructure Canvas LMS suffers unauthorized access via Free-For-Teacher account vulnerability; personal data of","Security Incident Update & FAQs Instructure recently identified unauthorized activity in Canvas LMS. We took immediate steps to contain the activity, brought in outside forensic experts, and notified law enforcement. We're sharing this FAQ to help students, parents, faculty, and staff understand what happened and what to do next. 1. What happened? On April 29, 2026, we detected unauthorized activity in Canvas. We immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts. On May 7, 2026, we identified additional unauthorized activity tied to the same incident. The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas. Out of caution, we temporarily took Canvas offline into maintenance mode to contain the activity, investigate, and apply additional safeguards. We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts. These accounts have been a core part of our platform, and we're committed to resolving the issues with these accounts. In the meantime, Canvas is fully back online and available for use. 2. What is Instructure doing to prevent this from happening again? We've taken several steps in response to the incident. We identified the issue related to Free-For-Teacher accounts and temporarily shut down those accounts. This was a difficult decision because Free-For-Teacher accounts are an important part of our platform, but it was the right step to protect customers and users while we complete additional safeguards. We also revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms. We engaged a third-party forensic firm and notified law enforcement. Beyond the immediate response, we're hardening administrative access, token management, permissions, monitoring, and related workflows. The investigation may inform further improvements. Our published security and compliance materials are available at trust.instructure.com. As we respond to this incident, we're focused on three things: completing a rigorous investigation, communicating verified information to impacted customers, and continuing to strengthen the safeguards that protect customer and student data. Trust is earned through actions and we’re committed to earning yours. 3. Were other Instructure products impacted in these incidents? No, Parchment, Mastery, Canvas Catalog and our other products were not impacted in these incidents. 4. What information was involved? Based on the investigation so far, the data taken in the April 29 incident includes certain personal information of users at affected organizations. That includes names, email addresses, student ID numbers, and messages among Canvas users. We have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. Based on the investigation to date, we have not found evidence that data was taken during the May 7 activity. The investigation is ongoing, and we'll share more as findings are verified. 5. Has the incident been contained? Is Canvas safe to use? ​​​​​​Yes. Canvas is fully back online and available for use. Our external forensic partner has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform. We've identified the underlying issue tied to Free-For-Teacher accounts and temporarily shut those accounts down to remove the access path the actor used. We've also revoked privileged credentials and access tokens tied to affected systems, deployed additional platform protections, rotated internal keys, restricted token creation pathways, and added monitoring across our platforms. We will continue to monitor the situation closely. 6. Was my organization affected? How will I know? We notified impacted organizations on May 5, 2026. If your organization is affected, Instructure will contact your organization’s primary contacts directly. Please don't rely on third-party lists or social media posts naming potentially affected organizations as those lists aren't verified. Instructure will confirm validated information through direct outreach to all affected organizations. 7. I'm a student, parent, or employee at an affected organization. What should I do? ​​​​​​Your organization is your first point of contact. They'll share information specific to your situation as we provide it. In the meantime, it is always a good practice to be cautious of unexpected emails or messages referencing this incident, avoid clicking suspicious links, and report anything unusual to your school or institution’s IT or security team. 8. Has Instructure notified, or will it notify, relevant regulators or data-protection authorities? ​​​​​​Instructure is committed to making all applicable legal and regulatory notifications. 9. Has law enforcement been engaged? Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners. 10. Where do I get updates? We are committed to keeping you updated. Instructure.com\u002Fincident_update will serve as the central source for confirmed updates, customer communications, and updated FAQs about this incident. For service availability and operational updates, please visit status.instructure.com. If your organization is impacted, we'll communicate directly through your established organization contacts","https:\u002F\u002Fwww.instructure.com\u002Fincident_update","https:\u002F\u002Fwww.instructure.com\u002Fsites\u002Fdefault\u002Ffiles\u002Fimage\u002F2025-07\u002F2025-Meta-OG-thumb-ENG_0.jpg","2026-05-08T16:25:43+00:00","2026-05-08T17:00:13.171+00:00",7,[18,21,24],{"name":19,"type":20},"Instructure","vendor",{"name":22,"type":23},"Canvas LMS","product",{"name":25,"type":23},"Canvas","2e06f76c-d5b9-4f54-9eef-4d3447b10730",{"id":26,"icon":8,"name":28,"slug":29},"Breaches","breaches",[31,36,41],{"category":32},{"id":33,"icon":8,"name":34,"slug":35},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":37},{"id":38,"icon":8,"name":39,"slug":40},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":42},{"id":43,"icon":8,"name":44,"slug":45},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",[]]