Instructure discloses security incident on Canvas platform

Instructure disclosed a security incident that resulted in a data breach on its Canvas platform. The company confirmed that the University of Memphis was included in the breach. Further information is available on the company's incident update page. The cybersecurity incident occurred on April 25 when a criminal threat actor gained access. Instructure detected the attacker on April 29 and revoked access. On April 30 the company revoked additional suspicious access, addressed the vulnerability and found no indicators of an ongoing threat. Investigation into the incident is ongoing as of May 5. Thus far the information involved consists of names, email addresses, student identification numbers and messages among users at affected institutions. Instructure has found no evidence that passwords, dates of birth, government identifiers or financial information were involved. The University of Memphis accessed Canvas via single sign-on. This means its account passwords are separated from the Canvas environment. The attack was not directed at any one institution. Instructure is investigating the incident with assistance from third-party security experts and law enforcement. The company has stated that the incident has been contained. University of Memphis information technology staff will continue to monitor the situation. Users should watch for phishing emails and avoid clicking links to unfamiliar addresses. They should enter the direct Canvas URL into their browser address bar to access accounts. Users should also deny unexpected login requests and report suspicious activity to the university service desk.