Instructure (Canvas) Cybersecurity Event

Wednesday, May 6, 2026

This message is intended for U-M leadership.

Summary

Instructure, the parent company of the Canvas Learning Management System, has informed ITS that the University of Michigan was among the organizations whose data was breached in this vendor-related incident. This affects all units that use Canvas.

A follow-up security alert was issued on May 7. For additional information, see the Nationwide Canvas Security Incident FAQ.

Problem

Based on information provided by Instructure to date, the data involved appears to include some personal information, including names, email addresses, and student ID numbers, as well as messages among users. Instructure has stated that at this time, it has found no indication that passwords, dates of birth, government identifiers, or financial information were involved. Its investigation remains ongoing.

Threats

We are still awaiting additional detailed information about what specific U-M data may have been exposed in order to determine impacts to individuals.

Affected Systems

This incident originated with Instructure and is affecting multiple higher education institutions nationwide.

Action Items

No action is required by affected individuals at this time. Canvas remains accessible and continues to function as expected. We will share additional information as it becomes available, including whether any action is needed from affected individuals.

Instructure has taken the following actions:

Revoked privileged credentials and access tokens associated with affected systems
Deployed patches to enhance system security
Out of an abundance of caution, rotated certain keys, even though there is no evidence they were misused
Implemented increased monitoring across all platforms

ITS is in active communication with Instructure and is continuing to review the information provided by the vendor to understand any potential impact to the university community.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

References

https://status.instructure.com/incidents/9wm4knj2r64z (Instructure Status Page)
https://www.bleepingcomputer.com/news/security/instructure-hacker-claims-data-theft-from-8-800-schools-universities/ (Bleeping Computer, 5-05-2026)
https://techcrunch.com/2026/05/05/hackers-steal-students-data-during-breach-at-education-tech-giant-instructure/ (TechCrunch, 5-05-2026)