Instructure disclosed and then partially confirmed a Canvas-related cybersecurity incident, with affected data described as including user messages, names, email addresses, and student ID numbers. The company said it revoked privileged credentials and access tokens, applied patches, and increased monitoring after believing the incident was contained. Within a day, additional reports emerged that attackers were again targeting Canvas users through an extortion message tied to a claimed breach of 275 million records across 9,000 schools. Instructure said Canvas, Canvas Beta, and Canvas Test were unavailable while the company investigated the issue, contradicting earlier assurances of full operational status. For colleges and K-12 districts, the episode highlights the operational reality that vendor breach communications, downtime, and incident response timing can directly disrupt teaching and student services—while also raising urgent questions about identity and access management, third-party risk monitoring, and incident communications playbooks.