Instructure, the company behind the widely used Canvas learning platform, has disclosed that it recently suffered a cybersecurity incident and is now investigating its impact.
The U.S.-based education technology company is best known for developing Canvas, a widely used learning management system that helps schools, universities, and organizations manage coursework, assignments, and online learning.
“Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor. We are actively investigating this incident with the help of outside forensics experts,” reads a statement from Steve Proud, Chief Security Officer.
“We are working quickly to understand the extent of the incident and actively taking steps to minimize its impact. Maintaining your trust is our highest priority, and we are committed to transparency throughout this process.”
Instructure says that it will provide new information regarding its investigation as it becomes available.
Since May 1, some services, including Canvas Data 2 and Canvas Beta, have been under maintenance, with customers warned they may experience issues with tools that rely on API keys.
The company has not stated whether this maintenance is related to the security incident.
BleepingComputer contacted Instructure earlier today with questions about the incident, but has not received a response.
BleepingComputer previously published and retracted an earlier report about this incident after determining it was based on incorrect information from a prior disclosure.
Targeting education technology firms
Threat actors have increasingly targeted education technology firms due to the large amounts of personal information they hold on students and teachers.
In January 2025, educational software provider PowerSchool disclosed a breach in which a threat actor claimed to have stolen data belonging to 62 million students.
In September 2025, Instructure disclosed a separate breach resulting from a social engineering attack that allowed attackers to access data in its Salesforce instance. At the time, a threat actor known as ShinyHunters claimed responsibility for the incident and listed the company on a data leak site.
Threat actors have also targeted Infinite Campus in similar campaigns, with claims of data theft from the company’s Salesforce environment.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
