Instructure breach
Cybersecurity
Instructure confirmed a breach on May 1st and has since issued a follow-up update. If your district runs Canvas, here's where things stand and what you should do now.
What Instructure has confirmed
The company says the incident is contained. Their forensics team identified the affected systems, and Instructure has revoked privileged credentials and access tokens, deployed patches, rotated certain keys as a precaution, and increased monitoring across platforms.
On data exposure: names, email addresses, student ID numbers, and user messages were involved. Instructure says there is currently no evidence that passwords, dates of birth, government identifiers, or financial information were compromised. If that changes, they've committed to notifying affected institutions.
What's still unknown
"Certain identifying information at affected institutions" leaves room for interpretation. You don't yet know the specific scope at your district. Instructure's investigation is ongoing. The first follow-up is rarely the final word.
What you should do now
The credential and token revocations Instructure performed were on their side. You need to review your own.
Audit your Canvas API keys and OAuth tokens for third-party integrations. Rotate anything that looks stale or wasn't actively monitored.
Notify affected users. Names, emails, and student IDs were involved — students, staff, and parents may have questions. Get ahead of that conversation before they read about it elsewhere.
Check your Canvas-connected integrations. Any tool that syncs user data through Canvas should be reviewed for anomalous activity over the last 30 days.
Review your state's student data breach notification requirements. Exposure of student IDs and names may trigger reporting obligations depending on your state law and district policy.
Brief your leadership now. Your superintendent and board should hear this from you, with context — not from a news alert.
Bottom line
Instructure has done their part. Your job this week is to verify your own integrations, communicate to affected users, and confirm you've met any notification obligations.
Featured Articles
CISA Adds One Known Exploited Vulnerability to Catalog
Cybersecurity · 1 min read
CISA added CVE-2026-31431, a Linux Kernel Incorrect Resource Transfer vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. If your district runs Linux-based servers, network appliances, or Chromebook management infrastructure, this is live threat territory not theoretical. Federal agencies must patch by the KEV deadline, and while that mandate doesn't bind K12, the catalog is your best signal for what attackers are actively using right now. Bottom line: Check your Linux kernel versions today and get a patch scheduled before this shows up on your network.
CISA, US and International Partners Release Guide to Secure Adoption of Agentic AI
Cybersecurity · 1 min read
CISA and allied cybersecurity agencies from the UK, Australia, Canada, and others just dropped a joint guide on securing agentic AI systems that execute multi-step tasks, call external tools, and act autonomously without per-action human approval. That description fits a growing list of ed-tech tools already landing in districts: AI scheduling assistants, automated help desk agents, AI-driven tutoring platforms. The guide identifies attack surfaces unique to agentic systems prompt injection, privilege escalation through chained actions, over-permissioned integrations and pairs each with actionable mitigations. Grab the PDF at cisa.gov and benchmark any active AI pilots against it before those tools move from sandboxed testing into production environments.
ChromeOS update 147.* bluetooth issues
Community · 1 min read
ChromeOS 147 is breaking Bluetooth on Chromebooks, with reports hitting r/k12sysadmin as of May 1. If your district auto-updates, expect teacher tickets about keyboards, headsets, and peripherals going dead right in the middle of instruction. One admin already rolled back to 145 via the Google Admin Console to stop the bleeding. Until Google confirms a fix, consider pinning your fleet to 145 before 147 spreads further. Bottom line: Pin your Chromebook update target to 145 in the Admin Console now, before 147 rolls out to your full fleet.
Tech Glitches Disrupt State Math Exams Across New York
News & Industry · 1 min read
New York's grades 3-8 digital math exams hit a login failure Wednesday morning, locking out students statewide and forcing NYSED to tell districts they could pause or delay testing. If your district runs state assessments on a centralized platform, this is your reminder that the failure point is rarely your network — it's the vendor's authentication layer. The state claims 116,000 students tested without error, but officials wouldn't release numbers on how many couldn't get in at all. Bottom line: Before your next high-stakes testing window, confirm your escalation path to the platform vendor not just your local helpdesk.
Tools & Resources
K12 SIX Security Incident Map — Tracks real K12 security incidents nationwide so you can see what's hitting districts like yours right now.
CISA Known Exploited Vulnerabilities Catalog — Free, continuously updated list of vulnerabilities actively exploited in the wild — patch these first, no debate.
Tech Tip of the Week
How to quickly audit which Canvas users in your district may be affected by the Instructure data breach — what to check and who to notify
Instructure confirmed unauthorized access to Canvas user data, so your first move is pulling an export before you start any outreach.
Log into your Canvas admin console, go to Admin → People, and run a full user export to CSV — this gives you every account with role, login activity, and associated email. Cross that list against your SIS to flag active students, staff, and any parent observer accounts tied to real email addresses. Those are your notification-priority records. Next, check Admin → Authentication Logs for any login spikes or unfamiliar IP patterns in the past 30 to 60 days — filter by role if your instance is large. Pull your API token list under Admin → Developer Keys and revoke anything that looks stale or unrecognized. Notify your DPO and legal counsel before you contact families; they'll want to review language against your state breach notification law and FERPA obligations.
Bottom line: A clean user export and a revoked token list give you the scope and the paper trail you need before the calls start coming in.
Pass This Along
If a colleague or coworker in K12 IT would find this useful — forward it. They can subscribe free and get their own copy every week.