## To our Instructure community,
I'll start where I should: with an apology.
Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that.
Here's what we know.
This incident involved unauthorized access to part of our environment. The data fields involved include information like usernames, email addresses, course names, enrollment information and messages. Core learning data \(course content, submissions, credentials\) was not compromised. We're still validating all findings, but we want to be clear about what we understand was and wasn't affected.
We also identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited. We temporarily disabled Free for Teacher while we complete a full security review. We know that's disruptive, and we didn't make that call lightly. But keeping the entire Canvas platform secure has to come first.
Last week, we made a call to get the facts right before speaking publicly. That instinct isn't wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You've been clear about that, and it's fair feedback. We will change that moving forward.
So here's what we're changing.
We've launched a dedicated Incident Update page, a single place with what we know, what we're doing, and what's next. We'll post another update within 48 hours and we're working on delivering a summary of the forensics report; which we'll share as soon as it's ready.
Two things you can count on right now:
* Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised.
* We'll give you clear guidance if any action is required on your end. Right now, there's nothing you need to do.
Keep reaching out to your Customer Success teams and through our Community channels. Your feedback is shaping how we respond.
Rebuilding trust takes time. We're going to earn it back through consistent action and honest communication. We're in this for you and your community.
Thank you for your patience and for everything you do for learners.
_**Steve Daly CEO, Instructure**_
STATUS UPDATE 5/11/26
We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.
With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:
* The data was returned to us.
* We received digital confirmation of data destruction \(shred logs\).
* We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
* This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.
While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible. We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. We will continue to provide updates as that work progresses.
Please continue to reference [https://www.instructure.com/incident\_update](https://www.instructure.com/incident_update) for the latest information from us.
What happened?
On April 29, 2026, we detected unauthorized activity in Canvas. We immediately revoked the unauthorized party’s access, started an investigation, and engaged outside forensic experts.
On May 7, 2026, we identified additional unauthorized activity tied to the same incident. The unauthorized actor made changes to the pages that appeared when some students and teachers were logged in through Canvas. Out of caution, we temporarily took Canvas offline into maintenance mode to contain the activity, investigate, and apply additional safeguards.
We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts. These accounts have been a core part of our platform, and we're committed to resolving the issues with these accounts.
In the meantime, Canvas is fully back online and available for use.
Has the incident been contained? Is Canvas safe to use?
Yes. Canvas is fully back online and available for use. Our external forensic partner has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform.
We've identified the underlying issue tied to Free-For-Teacher accounts and temporarily shut those accounts down to remove the access path the actor used. We've also revoked privileged credentials and access tokens tied to affected systems, deployed additional platform protections, rotated internal keys, restricted token creation pathways, and added monitoring across our platforms. We will continue to monitor the situation closely.