Instructure

From Instructure:

"Latest Update: 5/20/26

We know that concerns around the scope and nature of data involved remain top of mind for many of our customers. We continue to work diligently with leading forensic experts to complete our analysis, and these efforts remain ongoing.

To support our affected customers, we will be providing Canvas Administrators with preliminary findings about the data fields that were exfiltrated. Instructions for how to access this information will be provided directly to Canvas account administrators. We are hopeful that these preliminary findings represent an important first step in providing the specifics related to data involved that we know our customers – and community – are eagerly awaiting. As always, customers’ Instructure point of contact will be available to support with questions, provide general background information, address business continuity concerns, and support day-to-day needs.

For information related to Parchment, please visit the Parchment Security Update and Customer FAQs(opens in a new tab).

Please click here(opens in a new tab) to read the FAQs from our most recent customer webinar.

Please click here(opens in a new tab) for a one-page summary of the incident, including what happened and our response."

From Instructure:

"Latest Update: 5/19/26

In the spirit of continued transparency, we have refreshed our incident update page, which will continue to serve as the central repository for new information, resources, and ongoing communications related to this incident. Our goal is to continue to be responsive to the feedback we receive and refine our communications approach as we move forward.

To better support the many people who rely on our products every day, we have organized the Incident Update page by stakeholder group: customers, faculty, and students and families. Each section is designed to provide tailored information and relevant resources specific to the needs and concerns of that audience, making it easier to find the information most meaningful to you. These pages include specific FAQs tailored to our stakeholders, and downloadable resources that we hope provide greater clarity on what has happened to date, and our plans moving forward.

Going forward, we encourage you to refer to your designated incident page for the latest updates and information relevant to you. We will continue to update these pages with additional resources as more information becomes available."

Email sent from the Oklahoma State Department of Education (OSDE) on 5/13/26:

"Dear OSDE Connect Users,

Last week, the Oklahoma State Department of Education received official notification from Instructure regarding the recent Canvas security incident. Their message confirmed that our agency was affected, and the investigation is still underway with support from external forensic specialists. Although initial communication was shared with district leadership last week, we want to reach out directly to you, the educators and staff who use OSDE Connect.

Importantly, no student accounts or student data were affected in the OSDE Connect incident.

We want to ensure you are informed of potential impacts and steps you can take to protect your accounts. We are also working to determine whether any additional systems were included in Instructure’s notification.

Our OSDE Canvas accounts store the following user information:

• First name
• Last name
• Account password
• Email address

Potential Risks to Users

• Identity Theft: Your name, password, or email could be used for impersonation or phishing.

• Privacy Concerns: Messages or communication within Canvas may have been exposed.

• Phishing Attempts: Attackers may try to use the information to create more convincing fraudulent messages.

Recommended Actions for All Users

We strongly encourage educators and staff to take the following steps as soon as possible:

• Change your OSDE Connect password, as well as passwords for any accounts using the same email or password. Instructions on how to change your OSDE Connect password are attached HERE.

• Be cautious with unexpected emails, messages, or links—phishing attempts may increase.

• Monitor your email, your OSDE Connect account, and other systems for unusual or suspicious activity.

• Check that messages requesting action are from official district or OSDE sources.

As the investigation continues, we recognize that this incident represents a significant data exposure. Users should remain vigilant and watch for any signs of suspicious activity or misuse. We will share updates as soon as more verified information becomes available.

Together, we can help safeguard our systems and protect the security of our data."

Update from Instructure:  https://www.instructure.com/incident_update 

"To our Instructure community,

I'll start where I should: with an apology.

Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn't get answered. You deserved more consistent communication from us, and we didn't deliver it. I'm sorry for that.

Here's what we know.

This incident involved unauthorized access to part of our environment. The data fields involved include information like usernames, email addresses, course names, enrollment information and messages. Core learning data (course content, submissions, credentials) was not compromised. We're still validating all findings, but we want to be clear about what we understand was and wasn't affected.

We also identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited. We temporarily disabled Free for Teacher while we complete a full security review. We know that's disruptive, and we didn't make that call lightly. But keeping the entire Canvas platform secure has to come first.

Last week, we made a call to get the facts right before speaking publicly. That instinct isn't wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You've been clear about that, and it's fair feedback. We will change that moving forward.

So here's what we're changing.

We've launched a dedicated Incident Update page, a single place with what we know, what we're doing, and what's next. We'll post another update within 48 hours and we're working on delivering a summary of the forensics report; which we'll share as soon as it's ready.

Two things you can count on right now:

• Canvas by Instructure is fully operational and remains safe to use. Core learning data is not compromised.
• We'll give you clear guidance if any action is required on your end. Right now, there's nothing you need to do.

Keep reaching out to your Customer Success teams and through our Community channels. Your feedback is shaping how we respond.

Rebuilding trust takes time. We're going to earn it back through consistent action and honest communication. We're in this for you and your community.

Thank you for your patience and for everything you do for learners.

Steve Daly CEO, Instructure"

---

"STATUS UPDATE 5/11/26

We know that concerns about the potential publication of data related to this incident remain top of mind for many customers. We understand how unsettling situations like this can be, and protecting our community remains our top priority.

With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident. As part of that agreement:

• The data was returned to us.
• We received digital confirmation of data destruction (shred logs).
• We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.
• This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.

We continue to work with expert vendors to support our forensic analysis, further harden our environment, and conduct a comprehensive review of the data involved. As our investigation draws closer to a conclusion, we also intend to share additional details about the root cause and lessons learned, with the goal of helping the broader education technology community better understand and defend against similar threats. We will continue to provide updates as that work progresses.

We are currently organizing a webinar with Instructure leadership to detail information about the cyber attack and our activities to harden the system. We currently believe it will be on May 13 and will be done in multiple time zones.

Please continue to reference https://www.instructure.com/incident_update for the latest information from us. Click here for our previous status updates."

From Instructure:

"STATUS UPDATE 5/9/26

• Canvas is fully back online and available for use.
• We have established this incident update page as a central source of information for our customers, students, parents, faculty and staff. We will continue to update this page with the latest information we are able to share.  We will also aim to answer common questions raised by our community.
• We are working with a best-in-class forensic firm, CrowdStrike, to support our team’s forensic analysis of this incident, as well as recommendations to further harden our environment.
• We have also onboarded an additional expert vendor to conduct a comprehensive e-discovery exercise on the data that was involved  so that we can provide customers with further specificity. We do want to set expectations that this comprehensive review is expected to take some weeks to complete.
• FAQ updated and can be found on this page below.

Please continue to reference https://www.instructure.com/incident_update for the latest information from us."

Update: May 7, 2026 - 8:30 PM

Mustang Public Schools received an additional update from Instructure regarding the ongoing Canvas cybersecurity incident.

According to Instructure, on May 7, an unauthorized actor made changes to pages visible to some Canvas users while logged into the platform. Instructure reported that it immediately placed portions of Canvas into maintenance mode to contain the activity and prevent additional unauthorized access.

Instructure stated that, at this time, its investigation has found no evidence that the unauthorized actor obtained institutional account credentials or accessed additional data beyond what was previously communicated.

Instructure also shared that both the original incident and the May 7 activity were connected to vulnerabilities associated with Free-For-Teacher Canvas accounts. As part of its response, Instructure has temporarily disabled those accounts while continuing its investigation and remediation efforts.

Mustang Public Schools will continue monitoring verified updates provided by Instructure and will share additional information as it becomes available.

---

Update: May 7, 2026 - 4:00 PM

Mustang Public Schools continues to monitor updates related to the ongoing Instructure cybersecurity incident. Instructure’s public status page currently reflects service disruptions and maintenance activity affecting portions of the Canvas platform.

At this time, Mustang Public Schools has not received additional confirmed information regarding the scope of the incident beyond previous communications. Because the investigation remains ongoing, information related to this incident may evolve as additional findings are confirmed.

The district will continue coordinating with Instructure and monitoring verified updates as they become available.

---

Mustang 5th-12th Grade Families & Staff,

Mustang Public Schools was recently notified of a cybersecurity incident involving Instructure, the company that previously provided the Canvas learning management system (LMS) used by the district for students in grades 5-12. 

What We Know:

• According to information provided by Instructure, an unauthorized third party accessed certain data associated with Canvas accounts.
• Timeline:
  • April 25, 2026: Unauthorized access activity began within Instructure systems
  • April 29, 2026: Instructure detected the activity and revoked the unauthorized access
  • April 30, 2026: Security patches and additional protections were implemented
  • May 5, 2026: Instructure notified impacted organizations, including Mustang Public Schools
• Based on the investigation to date, the information involved may include names, email addresses, student ID numbers, and messages exchanged within the Canvas platform.
• At this time, Instructure reports there is no evidence that passwords, dates of birth, or other information were involved in the incident.
• This incident was limited to systems managed by Instructure and did not involve Mustang Public Schools’ servers or internal systems.

Although Mustang Public Schools transitioned to Google Classroom as its current LMS beginning with the 2025-2026 school year, the district maintained limited access to Canvas during the transition so teachers could retrieve instructional materials and course content from prior years. Following notification of this incident, the district has accelerated plans to discontinue Canvas access.

Although passwords were not reportedly accessed, please remain cautious about phishing emails or other suspicious messages that may appear legitimate.

As a reminder:

• Be cautious when opening unexpected emails or clicking unfamiliar links
• Do not share passwords or personal information through email
• Verify messages that appear to come from schools or educational platforms
• If the same password is used across multiple accounts, consider updating those passwords as a precaution

Instructure has said they will provide ongoing updates on their website at https://status.instructure.com/.  

We have also created a webpage where families can review updates as they become available: www.mustangps.org/families-students/morsey-learning-models/instructure.

We understand that news like this can cause concern, and we appreciate your continued partnership and support.  We will continue to monitor updates from Instructure and will share additional information with families as we receive it.