ASHEVILLE, N.C. (828newsNOW) — A cybersecurity incident involving Instructure, the company behind the widely used Canvas learning platform, has disrupted learning systems and prompted warnings across multiple North Carolina school districts, including Asheville City Schools and Henderson County Public Schools, state officials said.

Instructure confirmed that unauthorized access occurred in late April and again in early May, affecting parts of its Canvas environment used by schools nationwide. The company said the breach exposed data such as usernames, email addresses, course names, enrollment information and internal messages. It said core learning data — including course content, submissions and passwords — was not compromised.

The company temporarily disabled its “Free for Teacher” accounts after identifying a vulnerability linked to the incident, calling the decision necessary to contain the issue and complete a security review.

“Canvas by Instructure is fully operational and remains safe to use,” CEO Steve Daly said in a statement. He also acknowledged delayed communication and apologized for inconsistent updates during the investigation.

Instructure said it has since reached an agreement with the unauthorized actor involved in the breach, stating the data was returned and that it received confirmation of its destruction. The company also said it was told customers would not be extorted, though it continues to work with forensic experts to verify findings and strengthen security.

North Carolina schools affected

Maurice “Mo” Green, superintendent of the N.C. Department of Public Instruction, said the agency is working with Instructure, the state Department of Information Technology and local school systems to assess the scope of the incident. He said Instructure has reported that compromised data may include personal information such as first and last names, but there is no indication that passwords, dates of birth, government identifiers or financial data were involved.

Green urged vigilance for phishing attempts and reminded districts that state law prohibits paying ransom demands in cyber incidents.

Asheville City Schools notified families and staff May 5 that district data stored within Canvas may have been exposed. The district said the breach occurred on Instructure’s systems, not its own network, but acknowledged that student and staff names, email addresses, student ID numbers and internal Canvas messages were included.

District officials said they are working with state and cybersecurity partners, including the N.C. Department of Information Technology and insurance carriers, to ensure no unauthorized access occurred through its systems. They also warned families to be cautious of phishing emails posing as Canvas account verification or password reset requests.

Henderson County Public Schools also confirmed it was among the systems impacted, according to reports cited by local media.

What schools are doing now

Districts across the state say they are monitoring systems, auditing internal security protocols and advising staff and families to avoid clicking suspicious links or responding to unsolicited messages.

Officials emphasized that the primary risk to users at this stage is phishing attempts using real names and student identifiers potentially obtained in the breach.

Instructure said it plans to release additional forensic findings and host a webinar with leadership to explain the incident and outline steps taken to secure the platform.

For now, Canvas remains online as investigations continue.