Instructure Canvas Cybersecurity Incidents: Analysis of 2025 Salesforce Breach and 2026 Canvas Data 2 & Beta Security Event – Rescana
Publish Date: 2026-05-03 03:00:00
Source Domain: www.rescana.com
Executive Summary
On May 1, 2026, Instructure, the provider of the widely used Canvas learning management system, publicly disclosed a cybersecurity incident and initiated an investigation with external forensics experts. The company placed Canvas Data 2 and Canvas Beta into maintenance mode, warning customers of potential disruptions to services relying on API keys. As of this report, Instructure has not confirmed nor ruled out the exposure of personally identifiable information (PII) in this incident. This event follows a previous breach in September 2025, when a social engineering attack targeting Instructure’s Salesforce instance resulted in unauthorized access to publicly available business contact information, but not to product or customer data. The September 2025 incident was attributed by public claim to the threat actor ShinyHunters. Both incidents highlight the persistent targeting of education technology firms, which hold significant volumes of sensitive student and educator data. Instructure has notified federal law enforcement regarding the September 2025 breach and has implemented additional security measures. The investigation into the May 2026 incident is ongoing, and no technical details or confirmed data exposure have been disclosed as of the latest available information. All information in this summary is based on official disclosures and sector analysis as of May 1, 2026. [https://www.instructure.com/resources/blog/security-incident-update], [https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/], [https://techjacksolutions.com/scc-intel/instructure-canvas-discloses-second-cybersecurity-incident-in-eight-months-amid-ongoing-investigation/]
Technical Information
The September 2025 incident at Instructure was the result of a social engineering attack, specifically targeting the company’s Salesforce instance. Social engineering refers to the manipulation of individuals into…
