UC Blocks Canvas Access After Instructure Data Breach

On May 6, 2026, Instructure notified UC of a security incident involving its Canvas platform, which serves thousands of educational institutions worldwide. The notice indicated that unauthorized actors had gained access to certain UC‑related data stored in Instructure’s environment.

UC’s Office of the President responded on May 7 by directing every campus to block or redirect Canvas traffic until the system could be verified as safe. This nationwide precaution affected faculty, students, and staff who rely on Canvas for coursework and administration.

By May 8, Instructure stated the incident had been contained and remediated. UC began evaluating, on a campus‑by‑campus basis, when to resume normal Canvas use based on operational needs and risk assessments.

The breach involved unauthorized access to Instructure’s backend systems that host Canvas user data, though Instructure has not disclosed the exact number of records compromised or a specific CVE identifier. Initial analysis pointed to credential‑based techniques (MITRE ATT&CK T1078) possibly combined with phishing (T1566) to obtain privileged access.

UC’s block affected all ten UC campuses and affiliated medical centers, disrupting access to course materials, grades, and communication tools. No evidence has been released that UC‑specific data was exfiltrated, but the precautionary measure aims to prevent any potential misuse.

Instructure has shared Indicators of Compromise (IOCs) with its customers and advised enabling multi‑factor authentication, reviewing privileged account activity, and applying the latest security patches to integrated plugins.

For UC, the interruption highlights the reliance on third‑party SaaS platforms and the need for rapid, coordinated response when a vendor reports a breach. Campuses must balance educational continuity with security verification before restoring service.

Defenders should: (a) review Instructure’s IOC feed and block matching IPs or hashes; (b) enforce MFA for all Canvas‑linked accounts; (c) audit logs for anomalous login attempts (MITRE ATT&CK T1078.001); (d) ensure any custom LTI tools are patched to the latest versions; (e) segment network traffic to isolate SaaS applications from core infrastructure.

UC will continue to consult Instructure and its own cybersecurity teams, issuing campus‑specific guidance as risk assessments conclude. The next development to watch is the official timeline for Canvas restoration at each location and any further updates from Instructure on the breach’s scope and remediation steps.