Data breach hits Canvas learning platform serving millions

Instructure, the company behind Canvas—one of the world’s most widely used learning management systems—is investigating a cybersecurity incident involving a criminal threat actor, the firm confirmed.

“Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor. We are actively investigating this incident with the help of outside forensics experts,” said Steve Proud, Chief Information Security Officer (CISO) at Instructure, in a press release, News.Az reports, citing foreign media.

The company said it is working to determine the full scope of the breach and has taken steps to limit its impact. It also emphasized that maintaining user trust remains a top priority and pledged ongoing transparency as the investigation continues.

As part of its response, Instructure has increased monitoring across its platforms. It also reissued certain security keys as a precautionary measure, even though there was no evidence they were misused. As a result, some end users will need to re-authorize access to affected tools.

According to preliminary findings from Instructure, attackers may have accessed or exfiltrated certain user-identifying data, including full names, email addresses, student ID numbers, and messages.

However, the company said there is currently no evidence that more sensitive data—such as passwords, dates of birth, government identification numbers, or financial information—was compromised.

“If that changes, we will notify any impacted institutions,” Instructure said.

Proud added on Saturday that the incident has now been contained, while thanking users for their patience.

“Thank you for your patience as we work to resolve this matter. We sincerely regret any inconvenience or concern this may cause. We will continue to keep you apprised as our investigation progresses,” he said.

Cybersecurity incidents targeting educational technology providers have become increasingly common, as such platforms store large volumes of personal data belonging to students and educators.

In January 2025, PowerSchool disclosed an extortion attempt by a threat actor who claimed to have stolen personal information of millions of students. Separately, a 19-year-old college student from Massachusetts was sentenced to four years in prison for involvement in a ransomware attack.

More recently, in March 2026, Infinite Campus confirmed that a threat actor had targeted its Salesforce instance, exposing names and contact details of school staff members.

News.Az 

By Nijat Babayev