Instructure investigating breach at Canvas LMS provider, second incident in months

Instructure, the company behind the Canvas learning management system used by schools and universities worldwide, confirmed a cybersecurity incident attributed to a criminal threat actor. CSO Steve Proud said outside forensics experts are assisting the investigation, but the company has not disclosed the scope, attack vector, or whether student or staff data was accessed. Canvas Data 2 and Canvas Beta have been under maintenance since May 1, with API-dependent tooling flagged as potentially impacted, though Instructure has not confirmed a link to the breach.

This is the second disclosed compromise in under a year. In September 2025, ShinyHunters claimed a social-engineering attack against Instructure’s Salesforce instance and listed the company on a leak site. Infinite Campus and PowerSchool — the latter losing data on 62 million students in January 2025 — have been hit in the same wave of attacks targeting ed-tech vendors that aggregate large pools of minor and educator PII.

The pattern is consistent: Salesforce-tenant intrusions via social engineering, ed-tech as a high-yield target, and slow public confirmation while forensics catches up. Customers reliant on Canvas APIs should treat the maintenance window as suspect until Instructure clarifies whether credentials or tokens are in scope.