Canvas LMS Security Incident: Information for Summit Families

Summit Christian Academy | Parent Information Update
Canvas by Instructure
Summit Christian Academy
FACTS SIS

Canvas LMS Security Incident Update

Information for Summit families regarding the recent Instructure/Canvas security incident and the temporary FACTS integration shutdown.

Updated: May 11, 2026
Current Status

Summit Christian Academy is aware of the recent security incident involving Instructure, the company that operates Canvas LMS. At this time, Summit has not received verified customer-specific information from Instructure identifying affected Summit individuals or the specific Summit data involved.

Summary for Families

Canvas is used by many schools, including Summit. Because this issue has now been reported publicly and locally, and because FACTS has temporarily disabled its Canvas integration out of caution, we believe it is appropriate to share what we know at this time.

Instructure is investigating Instructure has stated that it is actively investigating with outside forensic experts.
Summit-specific details are not yet confirmed Instructure has not yet provided Summit with verified affected individuals or specific impacted data.
Microsoft passwords are not stored in Canvas Summit students use Microsoft Entra for Canvas authentication, so Microsoft handles the login process.
FACTS SIS reports no impact FACTS has stated that FACTS SIS and the data it manages on behalf of schools are not impacted by the Canvas breach.

What Happened?

Instructure, the company behind Canvas LMS, has confirmed a security incident involving Canvas. According to Instructure, unauthorized activity was detected, access was revoked, an investigation was started, and outside forensic experts were engaged.

“We're actively investigating this matter with outside forensics experts. We are committed to conducting a rigorous, thorough investigation. We began providing notice to impacted organizations on May 5 and are now verifying customer-specific data through ongoing investigation. When we verify the identities of affected individuals associated with your organization, and the specific data impacted, Instructure will provide that information directly to you.”

Because Instructure is still verifying customer-specific data, Summit does not yet have confirmed details about whether any Summit-specific individuals or records were involved.

What Information May Have Been Involved?

Public updates from Instructure and related reports indicate that the information potentially involved may include:

  • Names
  • Email addresses
  • Student ID numbers
  • Canvas messages or communications
Important clarification for Summit families

Instructure has stated that it currently has no evidence that passwords, dates of birth, government identification information, or financial information were involved. Summit does not provide Canvas with student financial information or government identification information.

Are Student Microsoft Passwords Safe?

Based on the information currently available, we do not believe student Microsoft login passwords were exposed through Canvas.

Summit students use Microsoft Entra for Canvas authentication. This means students sign in through Microsoft rather than through a password stored directly in Canvas. In that setup, Microsoft handles the login authentication process.

This does not mean there is no risk at all. The most likely risk to families is phishing, where someone may attempt to use publicly discussed breach information to trick users into entering login credentials on a fake page.

Families should be cautious of emails, messages, or websites that ask students to “verify” a Microsoft account, reset a Canvas password, view grades, recover assignments, or confirm personal information.

What Did FACTS Do?

FACTS notified schools that, effective 12:00 p.m. CST on May 8, it temporarily disabled the Canvas API integration for all FACTS SIS schools. This means Canvas gradebook sync and report card sync into FACTS SIS are offline until further notice.

FACTS stated that:

  • FACTS SIS and the data it manages on behalf of schools are not impacted by the Canvas breach.
  • The last FACTS SIS sync with Canvas occurred on May 7.
  • Canvas gradebook sync and report card sync into FACTS SIS have been disabled.
  • No action is required from schools at this time.
  • FACTS took this action out of an abundance of caution after reports of additional activity involving Instructure’s environment.
  • FACTS plans to rotate API keys and restore integration once Canvas has been confirmed secure.

This was a protective step by FACTS to prevent an active API connection from remaining open while the Canvas investigation continues.

Timeline of Key Updates

May 1, 2026
Instructure confirmed a security incident involving Canvas.
May 5, 2026
Instructure began providing notice to impacted organizations and continued verifying customer-specific data.
May 7, 2026
FACTS indicated that the situation escalated with reports of additional activity involving Instructure’s environment. The last FACTS SIS sync with Canvas occurred on this date.
May 8, 2026
FACTS temporarily disabled the Canvas API integration for all FACTS SIS schools effective 12:00 p.m. CST.
May 11, 2026
Summit prepared this summary for families because the issue had been reported publicly and locally, and because of the temporary FACTS integration shutdown.

What Is Summit Doing?

Summit is continuing to monitor the situation and review available information from Instructure, FACTS, and other relevant sources.

  • Monitoring updates from Instructure.
  • Watching for direct notice from Instructure regarding any Summit-specific impact.
  • Reviewing our own systems for signs of unusual activity.
  • Monitoring information from FACTS regarding the temporary Canvas integration shutdown.
  • Continuing to evaluate whether additional parent or student communication is needed.
  • Encouraging families to remain alert for phishing attempts.

If Instructure provides verified information identifying affected Summit individuals or specific impacted data, we will review that information and communicate further as appropriate.

What Should Families Do?

At this time, families do not need to take any specific technical action. However, we recommend the following precautions:

  1. Be cautious with emails or messages referencing Canvas, grades, assignments, password resets, or account verification.
  2. Do not enter Microsoft login information unless you are certain you are on a legitimate Summit/Microsoft login page.
  3. Report suspicious school-related emails or messages to Summit.
  4. Do not click links from unexpected messages claiming to provide breach details, leaked data, grade access, or account recovery.
  5. Use strong, unique passwords for personal accounts and avoid reusing school-related passwords on other websites.

Frequently Asked Questions

Has Summit been confirmed as impacted?

At this time, Summit has not received verified customer-specific information from Instructure identifying affected Summit individuals or the specific data impacted.

Instructure has stated that it began notifying impacted organizations on May 5 and is continuing to verify customer-specific data. If Instructure confirms that Summit accounts or records were directly affected, we will evaluate that information and provide additional communication.

Is Canvas still safe to use?

Canvas remains an important learning platform used by schools across the country. However, because the investigation is ongoing, Summit is treating the situation carefully.

The temporary shutdown of the FACTS integration does not necessarily mean Summit’s FACTS data was compromised. FACTS has stated that FACTS SIS and the data it manages were not impacted. The integration was disabled as a precaution while Instructure’s environment is being reviewed.

Will grades or report cards be affected?

Because FACTS has temporarily disabled the Canvas gradebook sync and report card sync, some automated syncing between Canvas and FACTS may be paused.

Summit will work internally to manage any necessary grade or report card processes while this integration is offline. FACTS has stated that it will provide instructions and a timeline once Canvas has been confirmed secure and the integration can be restored.

Why is Summit sharing this now?

Summit initially monitored the situation while waiting for more specific information. Because the incident is now receiving public and local news attention, and because FACTS has taken the additional step of temporarily disabling the Canvas integration, we believe it is appropriate to provide families with a clear summary.

Our goal is to be transparent without creating unnecessary concern.

What would cause Summit to send another update?

Summit will update families if Instructure confirms that Summit-specific individuals or data were affected, if FACTS provides a timeline for restoring the Canvas integration, if families need to take additional action, or if new verified information changes our current understanding of the situation.

Additional Updates

We will update families if:

  • Instructure confirms that Summit-specific individuals or data were affected.
  • FACTS provides a timeline for restoring the Canvas integration.
  • We determine that families need to take additional action.
  • New verified information changes our current understanding of the situation.

Summit Christian Academy will continue to monitor this situation and communicate additional information as appropriate.