Edtech giant Instructure was hacked (twice) — and finally put up a security incident page after the mass-defacement of Canvas school login pages.

@zackwhittaker oh FFS - thanks for flagging the noindex

@knapjack While some have claimed that the Canvas login page was 'hacked' - including most of the intial media reports - I suspect it was the compromise of a built-in broadcast messaging feature. (Though, I suppose it could be both, or something else all together.)

Reporter Joe Tidy (BBC) describes a report of how the delivery of Friday's exortion demand was experienced by active users:

Cyber Attack Disrupts Student Exam | Joe Tidy posted on the topic | LinkedIn

It's really hard to bring cyber attacks to life for the average reader. As my mum always helpfully reminds me - [in a Dudley accent] "cyber is bloody boring!". But I spoke to a student who's exam was literally interupted by the Canvas hack and it was one of those rare visual incidents that makes you wonder at the power of these cyber criminals. Oh and I asked Shiny Hunters if they cared about the impact and disruption they were having on people like Aubrey. "We don't have a comment about that", was the answer. https://lnkd.in/e76nRswq

LinkedIn (www.linkedin.com)

Thanks for your insights.

@knapjack re: defacing see: https://news.ycombinator.com/item?id=48057532 (low confidence, but could be legit)

Many rumors of info stealers on login page, but near as I can tell it all goes back to this claim: https://old.reddit.com/r/sysadmin/comments/1t6m7e0/canvas_instructure_lms_seems_to_have_been_hit_by/okijzkm/ (which also is low confidence)

If anyone is bored this weekend - and wants to help the edu sector out in the wake of the Canvas LMS attacks - take a gander at the recently implemented and forthcoming security patches in Canvas LMS and see what you might glean. Instructure - the company that was attacked - has provided scant technical details on how initial access and exfil happened - and as a result customers (schools and universities) are left unsure as to how to trust the software or what mitigations to put in place.

Instructure has said the attack was "carried out...by exploiting an issue related to our Free-For-Teacher accounts" https://www.instructure.com/incident_update

Precautionary UX changes made by Instructure in response https://community.instructure.com/en/discussion/666044/incident-change-log-for-may-2026

Instructure Enforcements, Deprecations, and Breaking Changes (which contain some upcoming security related changes): https://community.instructure.com/en/kb/articles/664261-instructure-enforcements-deprecations-and-breaking-changes

May be other threads to pull; this is being actively worked on by many.

Thank you!

#edtech #Instructure #Canvas cc/ @funnymonkey @PogoWasRight

Instructure has posted an FAQ about the ongoing Canvas LMS cyber incident https://www.instructure.com/incident_update #edtech #canvas #instructure #edusec

@simon @posts whelp, looks like - as they say - another shoe dropped with Canvas - at least here in the US. Hearing reports of anything new in your parts?

@simon @posts I take all those audits/assessments as signifiers of a potentially strong cybersecurity program, but none are perfect - and, in some cases, they are indeed simply performative. More about trying to manage risk - and even liability, if it comes that - than any sort of guarantee.

When regulators review the incident - at least here in the US - they’ll try to determine if the company took ‘reasonable, steps to safeguard the data in their care. That’s a slippery word - and one that keeps many a lawyer employed.

@simon @posts Can’t ever guarantee that you’ll not be a victim of cybercrime. 100% secure is simply not a thing.

We need to learn more about how they were comprised - and for how long - to better judge.

Having said that - to date - their response has seemed competent and quick and forthright, which is not something I see much (as someone who has tracked education cyber incidents for a decade).

As details emerge (the incident was discovered less than a week ago), I may of course revise my views.

@simon @posts have you seen https://trust.instructure.com? Not defending the company, but we’ve been tracking as it also affects US primary/secondary schools - among many others.