Instructure, the company behind the Canvas learning management system used by millions of students and teachers worldwide, has confirmed it paid a ransom to the cybercriminals who attacked its platform. The breach — first disclosed in early May — exposed data from Canvas accounts at schools and universities across the United States. Members of Congress have now announced an investigation into the incident, raising concerns about how educational institutions protect sensitive student information.
Paying a ransom does not guarantee that stolen data is deleted. Affected versions include all Canvas accounts created before the incident was contained, meaning students, teachers, and administrators at schools that use Canvas should remain cautious. Scammers sometimes exploit breached education records to impersonate schools or financial-aid programs.
How to check if you’re affected
Affected versions include all active Canvas accounts at institutions running the platform at the time of the breach. Here’s what to do:
- Change your Canvas password now and choose something unique — don’t reuse a password from another site.
- Enable two-factor authentication in your Canvas account settings if your institution allows it.
- Watch for phishing emails that appear to be from your school, Canvas, or Instructure asking you to verify your details or log in via a link.
- Contact your school’s IT department if you want confirmation of whether your institution was directly affected.