skip to main content
UHY US
UHY header-overlay
The Canvas Breach Is a Warning for Every Organization Using SaaS Products

07/01/26

News

The Canvas Breach Is a Warning for Every Organization Using SaaS Products

5 Min Read

Key Takeaways
  • The recent Instructure Canvas breach highlights how trusted SaaS platforms can become high-value targets when identity, access, and data-sharing controls are not continuously managed.
  • Even when passwords or financial information are not exposed, names, emails, IDs, course data, enrollment information, and private messages can create meaningful phishing, impersonation, and credential-harvesting risk.
  • Organizations should use this incident as a prompt to reassess what data they share with vendors, who has access to connected systems, and how quickly suspicious activity can be detected.

 

What happened with Instructure/Canvas?

Instructure, the company behind the Canvas learning management system, recently disclosed a cybersecurity incident involving unauthorized access to certain user data. Reported data included names, institutional email addresses, user IDs, course and enrollment information, and messages.

While passwords and financial information were not the primary concern, the exposed data still matters. Attackers can use real names, emails, relationships, and messages to make phishing attempts more convincing. A message referencing a real school, course, department, or prior communication is much more likely to be trusted than a generic scam.

Why this matters beyond education

Although the incident affected schools and universities, the same risk applies to businesses that rely on SaaS platforms every day.

Organizations use tools such as Microsoft 365, Google Workspace, Salesforce, Workday, NetSuite, ServiceNow, payroll systems, and customer portals to manage communication, finance, HR, operations, customer data, and workflows.

These systems often contain a working map of the business: who works there, who has authority, who communicates with whom, and which messages are likely to be trusted. In the wrong hands, that information can support phishing, business email compromise, vendor impersonation, social engineering, and attacks against connected systems.

A breach does not have to start inside your network to create risk for your organization.

Protect Your Organization with a Security Assessment

Where organizations become exposed

Many companies share more information with SaaS vendors than they realize. Some data is necessary. Some may have been shared during implementation and never reviewed again.

Over time, this creates data and identity sprawl. Information spreads across applications, integrations, reports, exports, and archived records. Employees change roles, contractors leave, vendors complete projects, and temporary access can quietly become permanent.

Threat actors look for these weak points. They may not need to break through a firewall if they can exploit an overlooked account, exposed integration, or trusted platform with useful user data.

What organizations should do now

The answer is not to stop using SaaS platforms. It is to manage them with more visibility and discipline.

Start by identifying what data your organization shares with critical vendors. Determine what is required, what is optional, how long it is retained, and whether it is still needed.

Then review access. Pay close attention to administrators, former employees, inactive users, contractors, vendors, service accounts, API access, and third-party integrations. Access should reflect current business needs, not historical convenience.

Organizations should also evaluate whether they can detect unusual behavior quickly, including abnormal logins, large exports, unexpected API activity, unauthorized admin changes, or activity from accounts that should no longer be active.

Finally, include SaaS platforms in third-party risk reviews. Vendor assessments should address data minimization, access controls, logging, breach notification, incident response, and integration security.

A better question for leadership

The Canvas breach is a reminder that contextual information can be enough to create real risk. Names, emails, IDs, messages, and relationships can help attackers sound credible and target users more effectively.

The question is not only, “Was sensitive data exposed?”

It is, “Could the exposed information help someone target our organization next?”

The strongest organizations know where their data lives, limit unnecessary sharing, review access regularly, and treat SaaS platforms as part of their security perimeter.

Secure the information you share with SaaS platforms

The next breach may not start inside your organization, but it can still put your data, people, and operations at risk. Connect with UHY to evaluate your third-party, SaaS, and identity security posture before attackers find the gaps first.

Assess Vendor Data Security Concerns

Contact Our Technology Risk and Compliance Team

Complete this form to connect and evaluate your third-party, SaaS, and identity security posture

By submitting this form, you agree to be contacted by UHY. 

Author

KIMBERLY ANDERSON

KIMBERLY ANDERSON

Managing Director, UHY Advisors

Kimberly Anderson has over 20 years of information technology consulting, developing business continuity strategies and disaster recovery solutions. She provides audit, attest, consulting, and compliance services for clients and performs System and Organization Controls (SOC) readiness assessments and attestations, including SOC 1®, SOC 2® and SOC 3®.

Join Our Mailing List

Sign Up Now
Uhy Logo

You are leaving UHY website to visit a site not hosted by UHY. Please review the third-party’s privacy policy, accessibility policy, and terms. UHY is not responsible for the content provided by third-party sites.