Dartmouth has received “no information to suggest that Canvas usage poses any additional security risk at this time,” College spokesperson Jana Barnello wrote in a May 13 email statement to The Dartmouth on behalf of the Information, Technology and Consulting office. Students at nearly 9,000 colleges and universities lost access to Canvas after the breach on May 7, when criminal hacker and extortion group ShinyHunters breached Infrastructure, Canvas’s developer and publisher.
“At this time, Instructure has found no indication that course content, submissions or credentials were compromised in this incident,” Barnello wrote. “The company also previously communicated that passwords, dates of birth, government identifiers or financial information were not involved.”
In a statement to The Dartmouth, Instructure wrote that they “took Canvas offline to contain access and further investigate” on May 7 once they discovered that the unauthorized user made changes to pages that appeared when some users accessed them. Access was restored in the evening of May 7, according to an update published by Instructure on their website.
As a result of the Canvas outage, some Dartmouth professors rescheduled assignment due dates and midterms.
ECON 39: “International Trade” professor Douglas Irwin postponed a midterm from May 8 to May 11.
“It was really unfair for students the night before an exam not to have access to a lot of the course materials, which are on Canvas,” Irwin said in an interview with The Dartmouth.
Similarly, quantitative social science professor Peter DeWan pushed back the due date for a problem set in QSS 41: “Analysis of Social Networks” from May 8 to May 10. In an email statement to The Dartmouth, DeWan said he did this because “any students wishing to work on it the night before it was due were not able to.”
QSS 41 student Jesse Fitzelle-Jones ’27 said DeWan was “reasonable” about the breach.
“I assumed that he would probably move it if [Canvas] wasn’t available,” Fitzelle-Jones said.
Before Canvas was taken by Instructure, ShinyHunters wrote in a statement visible on students’ Canvas pages that affected colleges and universities had “till the end of the day by 12 May 2026 before everything is leaked.”
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at Tox [an encrypted communication channel] to negotiate a settlement,” ShinyHunters wrote.
Instructure wrote in a status update on their website that they “reached a deal” on May 11 with ShinyHunters by which stolen data was returned to Instructure. Instructure “received digital confirmation” that ShinyHunters destroyed stolen data.
“This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor,” Instructure wrote.
The company did not say what it gave ShinyHunters in return for the stolen data.
