2026 Canvas Incident: Information for Families and Staff

Last Updated: May 11, 2026

Status: Canvas is online and safe to use. We continue to monitor this evolving situation and will update this page as we learn more.

What’s New

May 11, 2026 Update #2Instructure announced it has reached an agreement with the unauthorized actor involved in this incident. Per Instructure, the data was returned, copies were confirmed deleted, the actor provided assurances the data will not be shared further, and no Instructure customers will be extorted. The agreement covers all Instructure customers, including KPBSD. See https://www.instructure.com/incident_update for specifics.
May 11, 2026 Update #1KPBSD has confirmed that PowerSchool Holdings is also conducting their own independent security review of the Canvas-to-PowerSchool data integration. KPBSD originally anticipated having this data integration re-enabled on Monday, May 11, but is now waiting for PowerSchool to announce their timeline for reactivation. More information related to PowerSchool’s actions are available at https://help.powerschool.com/t5/Announcements-What-s-New/re-Infrastructure-Canvas-Plug-In-Disablement/ba-p/571902.

There are no indications the Canvas-to-PowerSchool sync is involved. PowerSchool has taken these actions and initiated a review out of an abundance of caution.
May 8, 2026Initial information posted, incorporating Instructure’s May 7 update on containment and forensics findings.

Summary

  • This incident occurred at Instructure, the company that provides Canvas. Our district’s own networks and systems are not involved.
  • Canvas remains accessible to users. The situation continues to evolve, and we are coordinating closely with Instructure.
  • The information stored in Canvas is limited in scope. Instructure has confirmed their investigation has found no evidence that Canvas passwords were exposed.
  • As of May 11, Instructure has reached an agreement with the unauthorized actor. Instructure reports the data was returned, copies were confirmed deleted, and no customers will be extorted. The agreement covers all Instructure customers, including KPBSD.
  • This page will be updated as we learn more.
May 8, 2026: Canvas Update Notification for KPBSD students, staff, and families

Background

On May 5, Instructure, the company that provides Canvas, the learning management system used by our students, notified our district that we are among the organizations impacted by a recent cybersecurity incident.

According to Instructure, an unauthorized party gained access to certain Canvas systems on April 25, 2026. Instructure detected the activity on April 29, removed the attacker’s access, and remediated the underlying vulnerability by April 30.

On May 7, 2026, an unauthorized actor made changes to pages displayed to some logged-in Canvas users. Instructure identified the activity, temporarily took Canvas offline as a containment measure, and has since restored access. Working with their independent forensics partner, Instructure has reported no evidence that the unauthorized actor established persistence, obtained credentials for accounts within our institution, or exfiltrated additional data.

Out of an abundance of caution, our Information Services team disabled the data integration between our district systems and Canvas on May 7, 2026, pending an internal review. KPBSD completed that review and re-enabled our integration components on May 11, 2026. In parallel, PowerSchool Holdings, the company behind the PowerSchool Student Information System product, is conducting their own independent review and has not yet re-enabled the integration on their side. Data integration services between PowerSchool and Canvas remain unavailable until PowerSchool’s review completes.

This remains a vendor-side incident on Instructure’s system. Our district’s internal networks, student information system, and other district-controlled systems are not involved.

On May 11, 2026, Instructure announced it had reached an agreement with the unauthorized actor. Instructure reports that the data was returned, copies were confirmed deleted, and the actor provided assurances the data will not be further shared. Instructure has stated no customers will be extorted as a result of this incident. While no resolution involving a cyber criminal can offer absolute certainty, this agreement applies to all Instructure customers, and individual customers, including KPBSD families and staff.

What Information Was Involved

Instructure has told us the data involved may potentially include the following information:

  • Student and staff names
  • Email addresses
  • Student/Employee KPBSD ID numbers
  • Messages sent within the Canvas platform

The information stored in Canvas is limited in scope. It primarily includes names, school email addresses, student/employee KPBSD ID numbers, course enrollments, and content created within the platform such as assignments, course content, and messages.

Sensitive personal information is not shared with Canvas, such as Social Security numbers, dates of birth, financial information, or state-issued driver’s license or ID numbers.

Canvas also does not store passwords for students or staff. All login processing for those accounts is handled by district systems. Instructure has confirmed that their investigation to date has found no evidence that Canvas password information was exposed. Instructure has not yet provided us with the specific list of records from our district that were accessed. We will update this page and notify affected individuals directly as soon as that information is available.

What KPBSD is Doing

  • Working directly with Instructure to determine the specific impact to our district
  • Reviewing our security protocols and administrative access to Canvas
  • Providing notification consistent with our obligations under FERPA, the Alaska Personal Information Protection Act (APIPA), and other applicable laws
  • Continued monitoring across our environment
  • Keeping parents and staff informed as we learn more

What You Can Do

  1. Watch for suspicious messages. Be cautious of any email, text, or message that appears to come from the school, a teacher, or Canvas and asks you to click a link, reset a password, or share personal information. When in doubt, contact the school directly to verify before acting.
  2. Talk with your child. Remind your student not to click on unfamiliar links and to tell a trusted adult if they receive a message that seems unusual, even if it looks like it is from a teacher or classmate.
  3. Use strong, unique passwords. While Canvas does not store passwords for student or staff accounts, this is a good time to confirm your child is not reusing the same password across multiple accounts.

Information From Instructure

The following summarizes the information Instructure has provided to the district and shared publicly about this incident. It is included here for transparency and will be updated as Instructure issues additional communications.

Timeline reported by Instructure

  • April 25, 2026: Unauthorized access to Canvas systems began.
  • April 29, 2026: Instructure detected the activity and revoked the attacker’s access.
  • April 30, 2026: Instructure remediated the underlying vulnerability and deployed platform-wide protections.
  • May 5, 2026: Instructure notified the district that we are among the affected organizations.
  • May 7, 2026: An unauthorized message attributed to the threat actor was displayed on the Canvas login page.
  • May 7, 2026 (later that day): Instructure announced containment of the activity, temporarily took Canvas offline, and restored access. Forensics partner reports no evidence of persistence, credential compromise, or additional data exfiltration.
  • May 11, 2026: Instructure announced it has reached an agreement with the unauthorized actor. Per Instructure, the data was returned, copies were confirmed deleted, the actor provided assurances the data will not be shared further, and no customers will be extorted. The agreement covers all Instructure customers.

Information Instructure has identified as involved

Instructure has stated that the data accessed appears to include personal information. Based on Instructure’s broader public statements about this incident, the categories of information potentially affected across impacted institutions include names, email addresses, student ID numbers, and messages sent within the Canvas platform. Instructure has confirmed that their investigation to date has found no evidence that Canvas passwords were exposed.

Actions Instructure has reported taking

  • Engaged an external forensics firm to support the investigation
  • Notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international partners
  • Disabled compromised accounts and revoked associated access
  • Remediated the underlying vulnerability and deployed additional platform-wide protections
  • Rotated internal keys and restricted token creation pathways across the platform
  • Temporarily took Canvas offline into maintenance mode as a containment measure
  • Identified the entry point as the Free-For-Teacher account tier, common to both incidents
  • Temporarily shut down Free-For-Teacher accounts to address the underlying issue

Current status reported by Instructure

Instructure has stated that Canvas is fully back online. Their forensics partner has reported no evidence that the May 7 actor established persistence, obtained credentials for accounts within institutions, or exfiltrated additional data. Their broader investigation continues, and Instructure has indicated they will provide additional updates at their incident page (instructure.com/incident_update).

As of May 11, Instructure has also reported reaching an agreement with the unauthorized actor that included return and confirmed deletion of the data and assurances no customers will be extorted.

Forward commitments from Instructure

Instructure has indicated they will follow up with affected organizations to share organization-specific impact information once their investigation is complete.

The original full notification Instructure provided to the district contains operational details specific to vendor administration that are not reproduced here. Families with questions about the underlying notification may contact the district’s incident response team at canvas-irt@kpbsd.org.

Frequently Asked Questions (FAQ)

About the incident

Was our district specifically targeted? No. This was a broad incident affecting many organizations that use Canvas. Instructure has indicated that thousands of institutions worldwide may be impacted.

Was our district’s network or any of our district systems hacked? No. The incident occurred at Instructure, the vendor that operates Canvas. Our district’s own networks, student information system, and internal systems have not been breached.

When did the district find out? Instructure notified and confirmed we were impacted on May 5th. We moved as quickly as possible to verify the information, prepare a response, and communicate with our community.

Has the threat been contained? The original vulnerability has been remediated, and Instructure has reported containment of the May 7 activity as well. Working with their forensics partner, Instructure has stated they have no evidence that the actor maintained persistent access, obtained user credentials, or exfiltrated additional data. The broader investigation continues, and we will update this page as we learn more.

About your child’s information

Was my child’s information specifically accessed? Instructure has not yet provided the district with a list of specific records that were involved. We will notify affected individuals directly once that information is available, and we will update this page as we learn more.

What information does Canvas actually store about my child? Canvas holds a limited set of information: names, school email addresses, student and employee KPBSD ID numbers, course enrollments, and content created within the platform, including assignments, course materials, grades within the course, and messages sent through Canvas. Sensitive records are not stored in Canvas.

Could messages between my child and a teacher have been accessed? Messages sent within the Canvas platform are among the categories of information potentially involved. If you have specific concerns about the content of a particular message, please contact the incident response team at canvas-irt@kpbsd.org.

Do I need to change my child’s Canvas password? Instructure has confirmed their investigation has found no evidence that Canvas passwords were exposed. As always, it is good practice to use strong, unique passwords and not to reuse them across accounts.

About continued use of Canvas

Is Canvas safe to continue using? Canvas remains accessible to users. While the situation continues to evolve, our district’s data integration with Canvas has been temporarily paused as a precaution. Canvas is an extension of the classroom, not a primary method of instruction, and instruction will continue regardless. We will provide updated guidance if any specific change in usage is required.

Is the district considering replacing Canvas? Our priority right now is supporting our community and working with Instructure to understand the full scope of this incident. Decisions about the long-term future of any technology platform are made through our standard review processes.

About what the district is doing

Why is this notification coming from the district and not from Instructure? Instructure is providing notice to the institutions that use Canvas. Our district, in turn, is providing notice to our families and staff. Instructure may also reach out directly to individuals at a later stage; we will update this page if that occurs.

Why is the district notifying us about this incident? We are notifying our community because we believe families and staff deserve clear and timely information when an incident affects services our students and staff use. Our notifications are consistent with the requirements that apply to this incident under FERPA, the Alaska Personal Information Protection Act, and other relevant laws.

About staying informed

How will I be notified of updates? Updates will be posted on this page and, when warranted, sent through our regular family communication channels. If we determine that your child’s information was specifically accessed, you will be notified directly.

Who can I contact with questions? Contact the KPBSD incident response team at canvas-irt@kpbsd.org.

Update Log

DateUpdate(s) made
May 8, 2026Initial information related to this incident posted.
May 11, 2026 Update #1Background section: Updated timelines related to KPBSD data integration pause. Added details regarding PowerSchool’s independent data integration pause and review.
Timeline from Instructure: minor formatting corrections
About continued use of Canvas (FAQ section): minor formatting corrections
May 11, 2026 Update #2Added agreement announcement to Timeline reported by Instructure and Current status reported by Instructure. Added May 11 entry to What’s New regarding Instructure agreement.

Contact

For further information, please contact the incident response team at canvas-irt@kpbsd.org.