Skip to main content

Status Updates

Security Update: Recent Canvas Incident and Required Actions

Date: May 12, 2026

Instructure has confirmed to MTDA that the accessed data has been returned and digitally destroyed, neutralizing the immediate concern. While the Canvas platform remains secure and fully operational, MTDA implemented the mandatory password reset directive for all direct-login accounts out of an abundance of caution. We will review information from Instructure in conjunction with the UM Information Security Office and the Montana University System, but the acute phase of this incident is officially resolved.

Date: May 10, 2026

Montana Digital Academy (MTDA) has been informed of a security incident involving Instructure, the parent company of our Learning Management System, Canvas. We are working closely with the University of Montana Information Security Office and the Montana University System (MUS) to address the situation and protect our community.

Please note: Canvas is currently fully operational and safe to use.

What Happened?

Instructure recently experienced two separate security events:

  1. Data Access (April 25–28): Unauthorized actors accessed certain data within the Canvas environment.
  2. Service Disruption (May 7): A vulnerability was exploited, allowing modification of visible content on the platform. Instructure briefly took Canvas offline to contain this; no additional data was collected during this second event.

Canvas is currently fully restored and operational.

What Information Was Involved?

According to the forensic investigation by Instructure and CrowdStrike, the breach was limited to specific directories and enrollment fields.

Information that MAY have been accessed:

  • Usernames and Email addresses
  • Course names and Enrollment information
  • Messages sent within the Canvas platform

Information that was NOT compromised:

  • Core learning data: Course content, assignments, and student submissions.
  • Credentials: Academic transcripts and official records.

Mandatory Action: Password Resets

To ensure the continued security of our systems and out of an abundance of caution, MTDA is implementing the following security measures:

All users are required to perform a forced password reset on their Genius accounts. If your account is authenticated through a school-specific Single Sign-On (SSO) provider, your password remains secure. However, all accounts utilizing direct login credentials via the Genius SIS must be updated immediately.

Our Mediation Steps

MTDA is taking the following proactive steps to secure our node:

  • Hardening Admin Access: We have reset passwords for all Canvas administrative, instructional designer, and service integration accounts (SIS, LTI, API) not protected by SSO.
  • Ongoing Forensics: We are coordinating with UM Legal and Information Security to review the upcoming final forensics report from Instructure.
  • Vulnerability Patching: Instructure has confirmed the vulnerability used in the May 7th incident has been patched, and the immediate threat is contained.

Support and Updates

We understand this news may be concerning. We are committed to transparency and will provide further updates as the UM Information Security Office completes its investigation into the full scope of the impact on UM System data.

For the latest technical updates directly from the service provider, you may visit the Instructure Incident Update Page.

If you have questions regarding your account or need assistance with the password reset process, please contact the MTDA help desk.

The Montana Digital Academy Team