Was this forwarded to you by a friend? Sign up, and get your own copy of the news that matters sent to your inbox every week. Sign up for the On EdTech newsletter. Interested in additional analysis? Upgrade to the On EdTech+ newsletter.

There is still a lot we do not know about the Canvas cyber incident, and this is not the time for overconfident technical diagnosis. The situation is still active, the forensic details matter, and cybersecurity incidents are not the same as cloud outages. Legal, forensic, and law-enforcement constraints are real.

Late on Friday, May 8, Instructure published a substantive public Security Incident Update & FAQ on its main website. That is, in significant part, what should have happened days earlier. It is the right format, and it contains real information. But it does not retire the broader trust question this week has raised. Particularly in the 2010s, Instructure earned a reputation for being unusually direct with customers, including when things went wrong. That reputation was tested this week, and the test is not over.

Back in 2012, Canvas suffered what Instructure itself called "A Bad Day for Canvas." In a public post, then-CEO Josh Coates explained that roughly one-third of Canvas customers experienced serious performance problems during a major outage, described what had happened, and ended with the kind of plain-language apology that customers remember: "We are embarrassed. We are sorry. We will do better." That was not corporate perfection. It was public ownership, signed by a named executive. It became part of the Canvas story.

This week's incident is far more serious and far more complicated. A cybersecurity incident involving confirmed data exposure, redirect-based extortion claims, and law-enforcement involvement cannot be handled like an availability outage. No one should expect Instructure to publish details that compromise an investigation, expose customers to additional risk, or make forensic work harder.

But the communications issue is not that Instructure failed to provide every detail. The issue is that for most of this week, Instructure treated a vendor-level security crisis primarily as a status-page incident.

On May 6, Instructure marked the incident "Resolved" on its status page, saying Canvas was fully operational and that the company was not seeing ongoing unauthorized activity. The message recommended customers enforce multi-factor authentication on privileged accounts, review admin access, and rotate API tokens or keys where applicable. It also said this would be the company's final update via that status page, with further updates provided through other channels and through direct communication with impacted customers.

That framing did not hold up for long.

By Thursday morning, May 7, users at multiple institutions were blocked from Canvas and instead saw redirect messages from ShinyHunters, the group claiming responsibility for the breach and posting a list of affected schools. As the NY Times reported, students at Harvard were among those who hit the ShinyHunters page when trying to log in.

By Thursday afternoon, Instructure had taken Canvas offline in response.

By Thursday evening, customer institutions—not Instructure—were carrying the public explanation, while Instructure's own public posture remained status-page language about maintenance mode and login difficulties. Baylor's May 7 update was particularly direct.

That guidance did more than notify users of downtime; it confirmed that the May 6 "Resolved" framing was no longer accurate. Baylor's earlier update also told its community that Instructure had notified customers of a data breach, that Baylor data stored on Instructure servers was impacted, and that Instructure had contracted with a forensics firm to investigate the extent of the breach. Other institutions followed a similar pattern. AP reported that the University of Iowa, Virginia Tech, the University of New Mexico, the University of Florida, Princeton, and UT San Antonio were among those notifying students, parents, or campus communities, with UT San Antonio even pushing back Friday finals in response to the outage.

Late Friday, Instructure published its Security Incident Update & FAQ at instructure.com/incident_update—the kind of substantive, central, public source that should have anchored the week's communications from the start. The page provides material new information.

Instructure says it first detected unauthorized activity on April 29 and notified impacted organizations on May 5. The May 7 activity that produced the ShinyHunters redirect pages was tied to the same underlying incident. The company has identified the vector as a vulnerability related to Free-For-Teacher accounts and has temporarily shut those accounts down—a meaningful, customer-facing decision given how widely Free-For-Teacher is used in K-12 and informal education contexts. The page confirms that the data taken in the April 29 incident includes user names, email addresses, student ID numbers, and messages between Canvas users. Instructure says it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved, and no evidence that data was taken during the May 7 activity. Law-enforcement engagement now includes the FBI, CISA, and international partners.

The page also includes a line worth quoting directly: "Trust is earned through actions and we're committed to earning yours."

That sentence is the right framing. It is also what the rest of this piece is about.

What the page does not say is as telling as what it does. Reporting from TechCrunch, Times Higher Education, and others has put the scope of the breach at roughly 9,000 institutions and somewhere between 200 and 275 million user records, with billions of messages between students and teachers among the data ShinyHunters claims to have exfiltrated. The May 8 FAQ does not acknowledge any of those figures, does not characterize the volume of data taken in any form, and does not address the extortion claims and May 12 deadline that drove the May 7 redirect pages and the resulting institutional scramble. Listing the categories of data involved without acknowledging the scale is a partial disclosure presented as a full one. Customers reading the FAQ would not learn that this is among the larger education-sector data exposures on record. That omission is a choice, and it is the kind of choice that erodes the trust the rest of the page is asking customers to extend.

The May 8 page is a real step. It is the format the situation called for, and the content is more candid than what came through the status page earlier in the week. But trust is earned through actions, in Instructure's own words, and the actions across this week tell a more complicated story.

For most of the week, the clearest public evidence that the incident had escalated came not from Instructure's own public channels, but from the customers and partners forced to explain the situation to their users.

This matters because Canvas is not just another enterprise system tucked away in administrative workflows. It is the day-to-day academic operating layer for millions of students and faculty. It is where students get assignments, submit work, access grades, review lecture materials, message instructors, and prepare for finals. When the platform is unavailable, defaced, or tied to exposed messages and identifying information, this is not merely a back-office security issue. It is an academic continuity issue.

A public FAQ on Day Five of a confirmed-data-exposure cyber incident is not the same as a public statement on Day One. And the May 8 page is corporate voice. There is no named executive on it, no equivalent of the Coates "we are embarrassed, we are sorry" moment, no signed ownership. The 2012 standard was not just the format; it was the signature.

The operational situation may also stabilize faster than this week's public timeline suggests—whether through forensic containment, negotiation with the threat actor, or other means. That would be welcome for institutions in the middle of finals. But operational resolution is not communications resolution, and a quiet return to normal would not retire the questions this week has raised.

Canvas rose in part because customers believed Instructure was different. More open. More responsive. Less defensive. More willing to own the problem instead of managing the optics. This week, that difference was hard to see until Friday afternoon—and even then, only partially.

The company built a lot of trust in the 2010s by being unusually candid when Canvas had a bad day. This week, Canvas had a much worse week. Trust is earned through actions. Instructure has now taken one, but the standard it helped set calls for more.

The main On EdTech newsletter is free to share in part or in whole. All we ask is attribution.

Thanks for being a subscriber.