In the aftermath of the Canvas breach and as information continues to be shared, we wanted to provide an update on Harmonize’s status.
We have been in direct contact with Instructure regarding the recent Canvas security incident and there is nothing you need to do with your LTI keys or API keys as it relates to Harmonize.
As previously shared, we took Harmonize offline out of an abundance of caution to give Instructure time to isolate and address the issue. We have not experienced a breach and we do not believe there is an ongoing risk of breach to Harmonize systems. Our continuous monitoring and recent investigations have not identified any suspicious activity involving Harmonize.
A few additional points about Harmonize’s infrastructure and Canvas integration:
Harmonize uses LTI 1.3, which is inherently safer than LTI 1.1 because it does not rely on shared secrets. Harmonize discontinued LTI 1.1 years ago. Instructure continuously rotates its LTI 1.3 JWK security keys.
For Canvas API access, OAuth2 access tokens expire hourly, further limiting the window of exposure if a token were ever compromised.
Our security policies and infrastructure controls are described in our SOC 2 materials, available at:
Some Canvas users are experiencing "Must submit new OAuth2 request" or "Missing custom CSRF token" errors when attempting to authorize Canvas Features in their course. We are working with Canvas Support to get this issue fully resolved. While Canvas did release an update recently, it has not fully addressed the issue. If you encounter this issue, please file a support ticket with our team at https://help.harmonizelearning.com/hc/en-us/requests/new
Discussions - Operational
Chat - Operational
Polling - Operational
Media Services - Operational
API - Operational
Blackboard - Operational
Brightspace - Operational
Canvas - Operational
Moodle - Operational
TurnItIn - Operational
Ouriginal - Operational
ChatGPT - Operational