Instructure has disclosed a security incident affecting the Canvas LMS. Below is what we know, how Digication's integration with Canvas is structured, and the steps we recommend that organizations using Canvas with Digication take to verify everything is working as expected.
What Instructure has disclosed
- April 29, 2026: Initial unauthorized activity detected on Canvas.
- May 1, 2026: Public disclosure. Instructure rotated certain application-layer credentials.
- May 5, 2026: Affected organizations notified directly.
- May 7, 2026: Additional unauthorized activity detected. Canvas was temporarily taken offline.
Confirmed exposed: names, email addresses, student ID numbers, Canvas user-to-user messages.
Confirmed not exposed (per Instructure): passwords, dates of birth, government IDs, financial data.
For the most current information, please refer to Instructure's official communications and your organization's notification from Instructure.
How Digication connects to Canvas
Digication's Canvas integration uses LTI 1.3 / LTI Advantage exclusively. This is the modern LTI standard, and it has important security properties that limit the impact of this incident:
- Trust between Canvas and Digication is established through cryptographic key exchange, not through long-lived shared secrets or API tokens.
- Digication's signing key is held privately on Digication's infrastructure and is never shared with Canvas.
- Access tokens used for roster and grade sync are short-lived and refresh automatically.
Because of this design, the kinds of credentials that were rotated by Instructure are largely self-healing in Digication's integration.
What this means for your data
User information that Digication holds (names, emails, course rosters, grades) was provided through legitimate LTI launches from Canvas at the time those launches happened. The Canvas incident does not create any new exposure of this data on Digication's side.
The personal information that Instructure has identified as exposed lives in Canvas, not in Digication. Notification to affected users about that exposure is being handled by Instructure and your Canvas administrators.
Recommended actions for Canvas + Digication administrators
We recommend the following checks to confirm your Canvas + Digication integration is functioning correctly after Canvas came back online.
1. Verify the Digication developer key in Canvas
In Canvas, go to Admin → Developer Keys and confirm that the developer key used for Digication is still present and enabled. If Instructure or your team recreated this key as part of the incident response, the new key values will need to be updated in Digication.
2. Update the Canvas registration in Digication if the developer key changed
If the developer key was recreated, an organization administrator can update the registration in Digication. You will need the new Client ID, authentication endpoint, access token endpoint, and JWKS URL from Canvas. Contact Digication Support if you need help with this step.
3. Test an LTI launch from Canvas to Digication
From a Canvas course that uses Digication, launch into Digication as both an instructor and a student to confirm authentication is working correctly.
4. Test grade passback and roster sync
For at least one active course, confirm that:
- The course roster is syncing correctly from Canvas to Digication.
- A grade can be passed back from Digication to Canvas.
5. Review users created or updated during the incident window
If your workflow includes users being auto-provisioned through Canvas LTI launches, you may want to spot-check user accounts created or updated between April 29 and May 7, 2026, for anything unexpected.
6. Follow Instructure's guidance on user notifications
For communications to your end users about the personal information exposed in Canvas, follow the guidance Instructure has provided to your organization. Digication does not need to drive these notifications.
7. Watch for phishing
Incidents of this kind are often followed by phishing attempts that reference the incident. Remind staff and students to report suspicious email to your IT or security team.
What Digication is doing on our side
Our engineering team has reviewed the incident in detail and has taken precautionary steps within our integration to ensure that any credentials that may have been rotated upstream are refreshed cleanly. We are also monitoring our LTI services for any elevated error rates that would indicate an integration issue.
Getting help
If you have questions about this incident as it relates to Digication, or if you need help verifying or re-registering your Canvas integration, please contact Digication Support.
Sources