Executive Summary
On May 1, 2026, Instructure, the provider of the widely used Canvas learning management system, publicly disclosed a cybersecurity incident and initiated an investigation with external forensics experts. The company placed Canvas Data 2 and Canvas Beta into maintenance mode, warning customers of potential disruptions to services relying on API keys. As of this report, Instructure has not confirmed nor ruled out the exposure of personally identifiable information (PII) in this incident. This event follows a previous breach in September 2025, when a social engineering attack targeting Instructure’s Salesforce instance resulted in unauthorized access to publicly available business contact information, but not to product or customer data. The September 2025 incident was attributed by public claim to the threat actor ShinyHunters. Both incidents highlight the persistent targeting of education technology firms, which hold significant volumes of sensitive student and educator data. Instructure has notified federal law enforcement regarding the September 2025 breach and has implemented additional security measures. The investigation into the May 2026 incident is ongoing, and no technical details or confirmed data exposure have been disclosed as of the latest available information. All information in this summary is based on official disclosures and sector analysis as of May 1, 2026. [https://www.instructure.com/resources/blog/security-incident-update], [https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/], [https://techjacksolutions.com/scc-intel/instructure-canvas-discloses-second-cybersecurity-incident-in-eight-months-amid-ongoing-investigation/]
Technical Information
The September 2025 incident at Instructure was the result of a social engineering attack, specifically targeting the company’s Salesforce instance. Social engineering refers to the manipulation of individuals into divulging confidential information or performing actions that compromise security, often through phishing or pretexting. In this case, attackers gained access to business contact data, which was largely publicly available and did not include product or customer data. The attack did not involve malware or technical exploitation of software vulnerabilities. The incident was mapped to the MITRE ATT&CK framework as follows: Initial Access (Tactic), Phishing (T1566, Technique), and Valid Accounts (T1078, Technique) if credential theft was involved. Data collection was limited to business contact information, aligning with Data from Information Repositories (T1213, Technique). The threat actor ShinyHunters publicly claimed responsibility for this breach, but no technical artifacts or infrastructure links were provided to corroborate this attribution. The confidence level for the attack vector is high, based on explicit disclosure, while attribution confidence is medium due to the lack of technical evidence.
The May 2026 incident remains under active investigation. Instructure has confirmed that a criminal threat actor perpetrated the attack, but has not disclosed the specific attack vector, techniques, or tools used. The company has not confirmed whether any PII or sensitive data was accessed or exfiltrated. As a precaution, Canvas Data 2 and Canvas Beta were placed into maintenance mode, and customers were advised of potential issues with API key-dependent services. No malware, indicators of compromise, or technical details have been released as of the latest reporting. The MITRE ATT&CK mapping for this incident is limited to Initial Access (Tactic), with the technique undetermined but likely to involve social engineering or credential access based on sector patterns. The confidence level for technical details in this incident is low due to the absence of public disclosure.
Sector analysis indicates that education technology firms, including Instructure, PowerSchool, and Infinite Campus, have been persistently targeted by threat actors due to the large volumes of sensitive data they manage. The repeated targeting of Instructure within an eight-month period underscores the ongoing risk to the sector and the importance of robust incident response and transparency. The September 2025 incident prompted Instructure to notify federal law enforcement and implement additional security measures. No regulatory filings or law enforcement advisories specific to the May 2026 incident have been published as of this report.
A summary table of the incidents is provided below:
Incident Date | Attack Vector | MITRE ATT&CK Techniques | Malware/Tools | Threat Actor | Data Compromised | Confidence Level
|
Sep 2025 | Social engineering | T1566, T1078, T1213 | None | ShinyHunters (claim) | Business contact info | High (vector), Medium (actor) |
May 2026 | Undisclosed (likely social engineering or credential access) | Unknown (likely T1566/T1078) | None | Unknown | Unknown | Low |
All technical claims in this section are based on primary sources and mapped to MITRE ATT&CK where possible, with explicit confidence levels for each attribution. [https://www.instructure.com/resources/blog/security-incident-update], [https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/], [https://techjacksolutions.com/scc-intel/instructure-canvas-discloses-second-cybersecurity-incident-in-eight-months-amid-ongoing-investigation/]
Affected Versions & Timeline
The September 2025 incident affected Instructure’s Salesforce instance, which is used for business operations and customer relationship management. No Instructure products or product data, including the Canvas learning management system, were accessed. The breach was limited to business contact information.
The May 2026 incident prompted the company to place Canvas Data 2 and Canvas Beta into maintenance mode. These platforms are used by educational institutions for data analytics and testing new features, respectively. Customers were warned of potential disruptions to services that rely on API keys. As of the latest disclosures, Instructure has not confirmed whether any specific product versions or customer environments were compromised.
The timeline of key events is as follows: In September 2025, Instructure disclosed a breach involving social engineering and unauthorized access to its Salesforce instance. Federal law enforcement was notified, and additional security measures were implemented. On May 1, 2026, Instructure disclosed a new cybersecurity incident, with Canvas Data 2 and Canvas Beta placed into maintenance and an investigation launched with external forensics experts. The company has not confirmed or ruled out the exposure of PII in the May 2026 incident. [https://www.instructure.com/resources/blog/security-incident-update], [https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/], [https://techjacksolutions.com/scc-intel/instructure-canvas-discloses-second-cybersecurity-incident-in-eight-months-amid-ongoing-investigation/]
Threat Activity
The September 2025 incident was characterized by a social engineering attack targeting Instructure’s Salesforce environment. Social engineering attacks typically involve phishing emails, pretexting, or other manipulative tactics to trick employees into revealing credentials or granting unauthorized access. In this case, the attackers accessed business contact information, which was largely publicly available. The threat actor ShinyHunters claimed responsibility for the breach and listed Instructure on a data leak site, but no technical evidence was provided to substantiate this claim. No malware or technical exploitation was involved, and no product or customer data was accessed.
The May 2026 incident is under active investigation. Instructure has confirmed that a criminal threat actor was involved, but has not disclosed the specific methods or tools used. The company has not confirmed whether any sensitive data was accessed or exfiltrated. The placement of Canvas Data 2 and Canvas Beta into maintenance mode suggests a precautionary response to potential compromise or risk to these platforms. The lack of technical details limits the ability to assess the full scope of threat activity in this incident.
Sector-wide, education technology firms have been increasingly targeted by threat actors seeking to exploit the large volumes of sensitive data they manage. Previous incidents at PowerSchool and Infinite Campus involved similar attack vectors, including social engineering and unauthorized access to Salesforce environments. The repeated targeting of Instructure within an eight-month period highlights the persistent threat to the sector and the need for ongoing vigilance and robust security measures. [https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/], [https://techjacksolutions.com/scc-intel/instructure-canvas-discloses-second-cybersecurity-incident-in-eight-months-amid-ongoing-investigation/]
Mitigation & Workarounds
Based on the confirmed facts and sector analysis, the following mitigation and workaround recommendations are prioritized by severity:
Critical: Organizations using Instructure products, especially Canvas Data 2 and Canvas Beta, should immediately review access logs and monitor for unusual activity, particularly involving API keys and integrations. Any signs of unauthorized access should be reported to internal security teams and Instructure support.
High: All users and administrators should be reminded of the risks of social engineering and phishing attacks. Security awareness training should be updated to include recent attack patterns targeting education technology platforms. Multi-factor authentication (MFA) should be enforced for all administrative and privileged accounts, especially those with access to sensitive data or third-party integrations such as Salesforce.
Medium: Organizations should review and update incident response plans to ensure rapid detection, containment, and notification procedures are in place for potential breaches involving third-party platforms. Regular audits of third-party integrations and permissions should be conducted to minimize unnecessary access.
Low: Customers should stay informed by monitoring official Instructure communications and sector advisories for updates on the ongoing investigation. Consider subscribing to threat intelligence feeds relevant to the education technology sector.
These recommendations are based on the technical details and sector patterns confirmed in the available evidence. No specific software patches or technical workarounds have been released by Instructure as of this report. [https://www.instructure.com/resources/blog/security-incident-update], [https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/]
References
https://www.instructure.com/resources/blog/security-incident-update
https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/
https://techjacksolutions.com/scc-intel/instructure-canvas-discloses-second-cybersecurity-incident-in-eight-months-amid-ongoing-investigation/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their vendors and supply chain partners. Our platform enables continuous monitoring of vendor security posture, supports incident response workflows, and facilitates evidence-based risk assessments. For questions regarding this advisory or to discuss how Rescana can support your organization’s risk management efforts, please contact us at ops@rescana.com.
