Instructure CEO Steve Daly apologizes for communication gaps after Canvas cyberattack exposes user data

TL;DR: Instructure CEO Steve Daly apologized for inadequate communication during a Canvas cyberattack that exposed usernames, email addresses, course names, enrollment data and messages, but left core learning content intact. The firm has launched a dedicated incident update page and will share a forensics report summary within 48 hours.

Context: The breach was identified when unusual activity appeared in the Free for Teacher support ticket subsystem. Attackers exploited a vulnerability there to gain access to part of Instructure’s environment. Canvas remained operational while the company isolated the affected service and began an investigation.

Key Facts: The exposed data included usernames, email addresses, course names, enrollment information and internal messages. Core learning data such as submissions, course content and credentials were not compromised. Instructure has disabled the Free for Teacher support ticket system pending a full security review and promised another update within 48 hours plus a forthcoming forensics report summary.

What It Means: For educational institutions, the breach raises concerns about credential harvesting and phishing risks despite the absence of direct learning material theft. Organizations using Canvas should monitor for suspicious login attempts and consider reinforcing multi-factor authentication on linked accounts. The incident also highlights the importance of timely, transparent communication during cyber events.

What Defenders Should Do: Apply the latest security patches to the Free for Teacher support ticket component as soon as they are released. Monitor logs for exploitation attempts matching MITRE ATT&CK technique T1190 (Exploit Public‑Facing Application) and unusual access to user‑profile endpoints. Enforce MFA for all administrative and teacher accounts, review third‑party integrations for excessive privileges, and follow Instructure’s incident update page for official advisories and IOCs.

Watch for the upcoming forensics report summary and any further guidance from Instructure’s incident update page within the next 48 hours.