Major data breach affects local schools, access to Canvas disabled

A major cybersecurity breach at Instructure, the company behind the Canvas learning management system, has disrupted U.S. schools after a hacking group accessed private data. Virginia Beach Public Schools (VBCPS) announced on Thursday that Canvas access was disabled as a precautionary measure following Instructure’s second cybersecurity incident. The school division urged staff to avoid using Canvas until further notice and explore alternative methods for instruction. Dare County Public Schools in North Carolina also reported the breach, which was first detected by Instructure on April 25, 2026. The hacking group gained access on April 29, and Instructure revoked their permissions while investigating vulnerabilities. While the breach may have exposed personal data of students and staff, there is currently no indication that sensitive details like passwords, birthdates, or financial information were involved. Both school divisions are working with Instructure and state authorities to assess the impact and monitor for potential phishing attempts. Dare County Schools, which uses Canvas for grades 6-12, emphasized that users should remain cautious and avoid suspicious communications. The investigation is ongoing, and updates will be provided as more information becomes available. Instructure has taken steps to mitigate the breach, including revoking suspicious access and addressing system vulnerabilities. However, Canvas outages may persist until the platform is deemed secure. Schools are advising staff to prepare alternative instructional methods in case access remains restricted.