Instructure Data Breach & Product Outage

Incident Report for Edlink

Postmortem

You may know by now that Instructure was breached by bad actors twice in the last week. At this time, we have no reason to believe that our clients (or Edlink itself) was compromised. 

However, out of an abundance of caution and as a best practice, to have all districts using Canvas to rotate their API and LTI keys.

Here's why: 

While it is Instructure’s current position that there’s “no evidence” that any data was accessed,we don’t share their level of conviction. This assumption is based on the fact that attackers hijacked substantially all production Canvas instances to show a ransom message, which would require a fairly high level of access to Instructure’s infrastructure and systems. 

As a result, if a bad actor did get access to Instucture core systems, they'd likely have access to API and LTI keys.

For API & LTI 1.3 integrations, exposed keys mean that attackers can exfiltrate any data that those keys have access to. Attackers can act as your application and use end user tokens to retrieve data. It is unlikely that attackers will be able to impersonate Canvas users to sign into your platform, assuming you have correctly implemented OAuth 2.0 or OIDC (for LTI). 

For LTI 1.1 integrations, exposed keys means that attackers can potentially sign into your product as “legitimate” end users. This can lead to possible data exfiltration from your product and it will be difficult or impossible to tell if traffic is legitimate. As such, we recommend that you immediately rotate all LTI 1.1 keys or upgrade to LTI 1.3, if possible.

In either case, the attackers could “sit” on stolen credentials for months or years before they decide to use them. By the time they do make their move, this incident may be a distant memory and it will be unclear to those affected exactly how the unauthorized access was obtained.

Later today or early tomorrow, we will release a user interface that we can share with you to share with your Canvas school customers to make the key rotation process as seamless as possible for school IT admins. 

If you'd like to rotate keys sooner, we would be happy to work directly with you or your schools to knock this out.

Posted May 11, 2026 - 21:12 UTC

Resolved

Instructure has published a status update indicating that they do not believe any data was compromised in the most recent attack. We have published a longer statement on the topic (including our plans) here: https://www.linkedin.com/pulse/re-instructure-security-incident-dakota-gordon-8nyqc/
Posted May 08, 2026 - 20:41 UTC

Monitoring

Instructure is currently undergoing a data breach (separate from the one earlier this week) and the attackers have gained control of many Canvas instances. Users of these instances will not be able to sign in or access any content. Data syncs (either to or from Instructure) are presumed non-functional at the moment.

The situation is developing.
Posted May 07, 2026 - 23:19 UTC
This incident affected: Data Sources (Canvas).
Current Status Powered by Atlassian Statuspage