A widespread breach of the Canvas online learning platform, operated by Utah-based Instructure, rolled across New Hampshire’s college campuses last week at exactly the wrong time of year, knocking course materials offline at the University of New Hampshire and Dartmouth College during the final stretch of spring finals and prompting a coordinated scramble by faculty to print, back up, or otherwise rescue their gradebooks. The Concord Monitor first surveyed the scope of the disruption inside the state, reporting that “many N.H. schools” were affected in a story that ran on May 8.

What looked at first like a routine outage turned out to be one of the largest single educational cybersecurity events on record. The hacking collective ShinyHunters claimed responsibility for stealing roughly 3.65 terabytes of user data, an estimated 275 million records, drawn from 8,809 institutions worldwide, and gave Canvas customers until May 12 to negotiate a settlement or watch the data dribble out.

What Got Taken, and What Didn’t

By the time Instructure’s incident page settled into a steady cadence of updates, the company had walked the user base through the boundaries of the breach. The data exposure appears to include names, school-issued email addresses, student or staff identification numbers, and the contents of in-platform messages between students and instructors. It did not, Instructure has so far insisted, include passwords, Social Security numbers, dates of birth, financial information, or any government identifiers.

That distinction matters for two reasons. First, the breach is bad but probably not credit-monitoring bad for most affected students. Second, the in-platform message dump is still a meaningful privacy harm, because Canvas messages can contain accommodation requests, mental health disclosures, disciplinary discussions, and other content students reasonably believed was private between them and a single instructor.

ShinyHunters appears to have come in through Instructure’s Free-For-Teacher product, an outside-the-paywall tier originally aimed at K-12 educators and individual instructors. Once inside, the group apparently extracted user records at scale across the integrated environment.

The May 7 Outage, Up Close

Things came to a head on Thursday, May 7. ShinyHunters, reportedly impatient with Instructure’s decision to patch rather than pay, pushed a ransom note into the live Canvas environment so that anyone logging in saw it instead of their course page. By 8 p.m. Eastern, Instructure had pulled the platform down and replaced the ransom-note view with a generic maintenance message, then began the work of rolling out hardened access controls.

For students at the University of New Hampshire, the timing could not have been worse. Final exam week was already underway in several departments and the run-up to finals had begun in nearly all the rest. UNH’s central IT communications office sent guidance to faculty within hours, asking instructors to “provide flexibility with deadlines” and stating clearly that students should not be penalized academically because of the disruption. At Dartmouth, the information and technology office took a slightly different tack, recommending that instructors immediately download backups of course materials and gradebooks while the platform was still partially reachable, and to keep doing so for the rest of the term.

Smaller New Hampshire institutions improvised. Several community college instructors moved temporarily to email-based assignment submission. A handful of professors at Plymouth State and Keene State held office hours by phone to walk students through paper alternatives for last-minute graded work. Southern New Hampshire University, whose online programs depend particularly heavily on Canvas for asynchronous instruction, briefly froze certain assessment deadlines while it confirmed the integrity of its course shells. Readers tracking how SNHU’s online model is holding up generally may want to see our SNHU online review for the broader context.

Why the Concord Monitor Report Matters

The Monitor’s reporting cataloged an unusually long list of affected New Hampshire institutions and made clear that this was not a one-or-two-campus event. The list spanned research universities, regional state schools, community colleges, and at least some K-12 districts using Canvas for hybrid coursework. New Hampshire’s mix of public and private higher education runs the gamut from Dartmouth’s Ivy League research footprint down to small private liberal arts colleges, and the breach hit all of them through the same upstream vendor.

That single-vendor dependency is the real policy question. Canvas, alongside competitors Blackboard and D2L, sits at the center of a market that has consolidated heavily since 2018. If a single learning management system goes down or gets compromised, hundreds of campuses lose course continuity at once.

For Granite State legislators and the University System of New Hampshire board, the breach should be a prompt to ask whether the system has independent, contractually mandated incident response and whether institutions have offline backups that can absorb at least a final exam cycle. UNH’s existing investments in research computing, including its work building out the UNH EDGE NOAA mapping center in Durham, hint at the kind of in-house cyber and data infrastructure that can blunt these vendor-side incidents when they happen.

The Bigger Cybersecurity Picture

ShinyHunters is not a new actor. The group has been linked to high-profile breaches at telecom carriers, ticketing platforms, and retail brands going back several years. Its operating model leans on selling or leaking data after a public extortion window, which is what the May 12 deadline is about. Whether Instructure pays, or in what form, is now a corporate decision with national implications. Federal regulators are reportedly monitoring the case, and several state attorneys general, including New Hampshire’s, are tracking notification obligations under their respective data breach statutes.

The Granite State’s existing data breach law, RSA 359-C:20, requires notice to affected residents and to the attorney general’s office when personal information has been compromised. Whether the Canvas message data and student ID numbers meet that threshold for every New Hampshire resident affected is something Attorney General John Formella’s office is now reviewing alongside Instructure’s outside counsel.

What students should not do, security experts told the AP, is fall for the inevitable follow-on phishing wave. Within 48 hours of the May 7 outage, bogus messages began circulating that asked students to verify their Canvas credentials at look-alike domains. Real Canvas password resets only originate inside the legitimate Instructure environment, and most New Hampshire institutions have already pushed reminders to that effect.

What Faculty and Students Should Do Now

Three practical steps make sense in the near term.

First, faculty across New Hampshire should download current copies of every gradebook and assignment submission from Canvas while access is stable. Even if Instructure restores everything, having a local copy of the term’s record makes any future grade disputes vastly easier to resolve.

Second, students should pay attention to email from their registrar or dean of students, not from Canvas itself. The institutional channels are where any breach-specific identity protection offers, if extended, will appear. If you receive a Canvas-themed email asking you to “verify” or “secure” your account at an outside link, delete it.

Third, anyone applying for graduate programs, internships, or scholarships should keep paper or PDF copies of relevant Canvas correspondence, because the breach has introduced some risk that older messages may be deleted or altered during platform restoration.

The University System of New Hampshire is expected to release a more detailed campus-by-campus advisory this week. For students leaning on Canvas as their primary academic record, the next 30 days will be the test of how seriously every institution treats its vendor risk. For policy watchers, the breach is a reminder that the digital infrastructure underneath higher education is more concentrated and more fragile than the public usually appreciates. And for parents pricing back-to-school technology, our coverage of the best laptops and Chromebooks for students in 2026 remains a sensible starting point for hardware that does not depend entirely on cloud platforms to be useful.

FAQ

For related coverage, see our reporting on SNL Alum Rachel Dratch Tells Dartmouth’s Class of 2026 to Turn Rejection Into….

For related coverage, see our reporting on USNH Trustees Eye Second Straight Tuition Hike at UNH.

Was student financial or password data taken in the Canvas breach?

Instructure has stated that the stolen data does not appear to include passwords, financial information, dates of birth, or government identifiers. The exposure is primarily names, school email addresses, student or staff ID numbers, and in-platform message content.

Which New Hampshire institutions were affected?

The Concord Monitor reported that many New Hampshire schools were affected, including the University of New Hampshire and Dartmouth College, with smaller community colleges, regional state institutions, and some K-12 districts also touched. The breach reached 8,809 institutions worldwide.

Who is responsible for the Canvas breach?

The hacker collective ShinyHunters has claimed responsibility, stating it stole roughly 3.65 terabytes of data covering an estimated 275 million records. The group set a May 12, 2026 deadline for affected institutions to negotiate before releasing data publicly.

Should New Hampshire students change their Canvas password?

Yes, even though passwords were reportedly not exposed, changing your Canvas password and enabling multi-factor authentication is recommended. Only do so through your institution’s official login page, not through any emailed link.

Will finals and grades be affected at UNH and Dartmouth?

Both institutions have asked faculty to extend deadlines and provide flexibility for students who could not access Canvas during the outage. Dartmouth’s IT office has additionally recommended that instructors keep local backups of gradebooks throughout the rest of the term.