Edu tech firm Instructure investigates cyber incident impact
▼ Summary
– Instructure, the company behind the Canvas learning platform, disclosed a cybersecurity incident by a criminal threat actor and is investigating with outside experts.
– Since May 1, some services like Canvas Data 2 and Canvas Beta have been under maintenance, potentially causing issues with tools relying on API keys.
– The company has not confirmed if the maintenance is related to the security incident.
– Threat actors increasingly target education tech firms for their large stores of personal data, as seen in recent breaches at PowerSchool and Infinite Campus.
– In September 2025, Instructure suffered a separate breach via social engineering, with the ShinyHunters threat actor claiming responsibility and listing the company on a data leak site.
Instructure, the education technology company behind the widely used Canvas learning management system, has confirmed a recent cybersecurity incident and is actively working to assess its scope and impact. The U.S.-based firm, which provides digital infrastructure for schools, universities, and organizations to manage coursework and online learning, is now conducting a thorough investigation with the assistance of external forensic experts.
“Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor. We are actively investigating this incident with the help of outside forensics experts,” stated Steve Proud, Chief Security Officer. “We are working quickly to understand the extent of the incident and actively taking steps to minimize its impact. Maintaining your trust is our highest priority, and we are committed to transparency throughout this process.”
The company has pledged to share new details as its investigation progresses. Since May 1, certain services, including Canvas Data 2 and Canvas Beta, have been placed under maintenance. Customers have been warned that tools relying on API keys may experience disruptions during this period. Instructure has not clarified whether this maintenance is directly connected to the reported security breach.
BleepingComputer reached out to Instructure earlier today for further comment but has not yet received a response. Previously, BleepingComputer published and then retracted an earlier report on this incident after discovering it was based on incorrect information from a prior disclosure.
Threat actors have increasingly targeted education technology firms, drawn by the vast repositories of personal data they hold on students and educators. In January 2025, educational software provider PowerSchool disclosed a breach where a threat actor claimed to have stolen data belonging to 62 million students. In September 2025, Instructure itself reported a separate breach resulting from a social engineering attack that gave attackers access to data in its Salesforce instance. At that time, a threat actor known as ShinyHunters claimed responsibility and listed the company on a data leak site. Similar campaigns have also targeted Infinite Campus, with claims of data theft from its Salesforce environment.
(Source: BleepingComputer)
