Update on May 29, 2026: For additional information about ED’s ongoing engagement with Instructure and the FERPA implications of this incident, please see the May 12, 2026, letter from ED’s Student Privacy Policy Office to Instructure: Letter on the Importance of Protecting Student Privacy.
Instructure Holdings, Inc. (Instructure), the parent company of the Canvas Learning Management System (Canvas), recently disclosed an ongoing cybersecurity incident affecting Canvas platforms used by K–12 schools and institutions of higher education worldwide. This incident involves unauthorized access to usernames, email addresses, course names, enrollment information, and messages. While some messages may incidentally include personally identifiable information, Instructure stated on their public web page that there is no evidence that passwords, dates of birth, government identifiers, or financial information were exposed.
A ransomware group identified as ShinyHunters claimed responsibility and repeatedly defaced Canvas login pages with ransom demands. Some institutions reported receiving ransom messages when attempting to access Canvas.
For the latest verified information from Instructure, institutions should continue to monitor the Instructure Status Page at instructure.com/incident_update.
Senior U.S. Department of Education (ED) leaders have been actively engaged with Instructure regarding this incident. ED is in contact with Instructure’s chief information security officer about technical details; the affected systems; the population of impacted institutions; and steps to protect students, teachers, school districts, K-12 schools, and institutions of higher education.
ED’s office of Federal Student Aid (FSA) is coordinating with federal partners and continues to analyze incoming information as the investigation progresses. ED’s Student Privacy Policy Office has also requested information from Instructure to ensure compliance with the Family Educational Rights and Privacy Act or FERPA.
Schools are reporting Canvas-related impacts to ED, consistent with existing incident-reporting requirements. ED continues to track every school that reports it received notice from Instructure or observes suspicious activity.
Institutions of higher education should report incidents using established channels, including:
-
Email: FSASchoolCyberSafety@ed.gov
If your institution receives a ransom message, threat communication, or evidence of unauthorized access through Canvas, please report immediately.
Instructure publicly confirmed that bad actors compromised the Canvas platform through Free-For-Teacher accounts, a no-cost Canvas account type commonly used outside enterprise-managed environments. Instructure temporarily shut down this service and accounts.
This incident demonstrates the elevated risk posed by any accounts lacking multi-factor authentication (MFA). ED strongly urges all institutions to implement MFA uniformly across all:
-
administrative and information technology (IT) systems;
-
cloud systems, vendor platforms, and identity providers; and
-
school information systems, including Canvas accounts.
Instructure recommends that schools rotate local Canvas integrations, Learning Tools Interoperability tools, single sign‑on connectors, and API keys. Review system, authentication, and Canvas integration logs for unusual access patterns, especially between April 25, 2026, and May 8, 2026.
Based on established federal cyber-hygiene principles, FSA recommends all institutions take the following steps to reduce risk:
-
Enforce Multi-Factor Authentication Everywhere
Apply MFA to all school systems, including faculty, staff, and student accounts; all IT/system-administrator access.
-
Review and Disable Unused or Legacy Accounts
Remove or disable non-managed “teacher-created” or “free” accounts, and use institution-bound identity controls wherever possible.
-
Require Strong Password and Identity-Management Practices
Implement passphrases, prevent password reuse, and actively review identity-provider logs.
-
Monitor for Indicators of Compromise (IOCs)
Institutions should actively review logs and system activity for any signs of unauthorized access or unusual behavior. Institutions should monitor for known IOCs provided in vendor or federal advisories, check for unexpected system changes, and promptly investigate suspicious authentication attempts or network activity. When institutions detect unusual activity, they should immediately act to contain the potential security event and report any incident.
-
Apply Relevant Patches and Security Adjustments
Institutions should promptly apply all vendor-issued patches and configuration updates related to their Canvas environments and any connected systems. As emphasized across prior technology security alerts, institutions must update all software components to supported versions, follow vendor guidance for applying fixes, and carefully review any vulnerability information provided. Regularly applying patches, confirming proper versioning, and following vendor-recommended security adjustments remain essential steps in reducing exposure and strengthening institutional defenses.
-
Validate Data-Sharing Agreements with Third-Party Vendors
Confirm that all integration partners meet security requirements and have no unnecessary access to student data. Institutions also should validate that integrations, third-party applications, and local configurations do not introduce additional security risks and confirm that required updates have been fully implemented.
-
Prepare for Potential Data-Exposure Queries
Because public information confirms usernames, email addresses, course names, enrollment information, and messages were compromised, students, parents, and instructors may contact your institution. Coordinate communications according to your cybersecurity incident response plan.
Institutions with questions about Canvas-related reports or who need assistance with incident investigation should continue to coordinate with:
-
your institution’s qualified individual, chief information officer, or chief information security officer to properly coordinate across your campus;
-
state and local education IT partners, especially if your institution uses shared-service Canvas deployments; and
-
Institutions of higher education also may contact the FSA School Cyber Safety Team at FSASchoolCyberSafety@ed.gov.
ED will continue working closely with Instructure to obtain accurate information and support schools during this incident. ED will issue updates as new, verified details are available.