Canvas was hacked this week (starting around May 1, so over a week ago now). No details yet, and I’m not going to speculate or make assumptions. My heart goes out to the people at Instructure and the 8,800 institutions who are dealing with this. There are a few lessons from the incident and collective responses:
1. Clear and authentic communication is essential
Instructure’s initial response was to shut down the Canvas LMS and put up a “Canvas is currently undergoing scheduled maintenance” notice up. Which solved the initial problem of “people can’t access Canvas” but raised more questions. Eventually, word got out that Instructure had somehow been hacked - much of that coming from a message posted by the hackers themselves. Students posted screenshots of the hackers’ message on Reddit etc., and that served as the update for a few days.
Instructure confirmed the security incident on their website, but (as I write this on May 10) stopped updating the page on May 6, saying “Canvas is fully operational”, despite people still posting to Reddit/LinkedIn/etc. “hey - is anyone else still unable to login?”
According to Instructure’s own uptime information, there was nothing to see here. Despite Canvas being down for maintenance or hacking, it’s still fully operational. Here’s the historic uptime chart for an unnamed Canadian institution’s Canvas host:
That tiny blip at the top right corner of the chart is the acknowledged downtime for the incident… Whew! Nothing to see here!
So institutions had to fill the gap in communication. UAlberta’s Provost has been maintaining an excellent page with updates (last updated Friday May 8 - they’ll likely update again on Monday May 11).
UBC quickly put together an excellent page with info for instructors to quickly pivot from Canvas to either Moodle or WordPress, with instructions for how to access an archive of course content on Sharepoint. This is just outstanding work.
Institutions - leaders and the teams that manage digital platforms and who work with instructors to support their (online) teaching - need to own the message because they understand the local context.
2. Monocultures are a risk
I’m not going to speculate on the cause(s) of the Instructure cybersecurity incident - that will all come out eventually - but there are lessons we need to learn from the impact of the incident. We’re not a Canvas institution, but it looks like Instructure manages 3 different Canvas environments: “production”, “beta”, and “test”. And all 8,800+ institutions appear to share those three environments - they don’t each have their own instance of Canvas that they manage independently. They each have their own “host” - a custom institutional URL to access Canvas, probably setting up authentication etc - but after logging in, it’s back to the Big Giant Canvas Instance? If so, this makes it easier for Instructure to manage updates since everyone gets the same code deployed at the same time, but it means if an environment goes down, the impact is universal.
Assumption alert
Other vendors offer separate instances of their software, which can mitigate some of this risk. That adds a lot of overhead in managing deployments, updates, backups, etc., but provides some isolation between institutions so an incident may not roll through their entire client rolodex. But even those vendors are becoming (have become) more reliant on AWS on the back end. AWS is reliable until it isn’t, and when it isn’t, there’s nothing anyone can do except to collectively twiddle thumbs and hope. Even if the vendor’s software isn’t a monoculture, the back-end infrastructure is becoming monoculture-adjacent.
We need to learn from history - monocultures are seductive, but they are also dangerous.
3. The need for institutional agency
The LMS serves an essential role in blended and online learning - it is the “home base” or starting point for every course at our institution. It provides a reliable, consistent, supportable user experience for all 40,000+ people in our community. I wonder how much of that consistency has been conflated with uniformity, reliability with monoculture.
The UBC response is truly remarkable - the “teaching with technology” team (UBC’s new Learning Technology Innovation Centre), at a very large institution quickly put together a cohesive set of resources to support instructors in rapidly adopting different online platforms to meet the pedagogical needs in their courses.
4. (re)Developing resilience
The UBC response is remarkable because it’s so unheard of in 2026. But this is how institutions used to work - building things, rolling out experimental tools, trying new things and letting people use different platforms (or build their own). But over the last several decades, that’s been slowly eroded from higher education cultures and now it’s remarkable that an institution can do it well. This kind of ability to adapt, to be proactive - UBC couldn’t have spun up their Alternative Course Hosting service if they hadn’t spent years-and-decades developing capacity in their teams and processes - is what we need to focus on.
We need to work closely with our vendor partners, and we need to continue to develop and explore and build institutional knowledge and capacity in our teaching-and-learning and IT staff so that we are able to be proactive and to quickly adapt while serving the pedagogical needs of our instructors and the needs of our students.
The Instructure Incident is terrible - and what a waste of time and energy and resources that would have been directed to supporting teaching and learning! - but we can learn (can remind ourselves that we’d already learned) some important lessons about how we approach platforms used in our online courses.