by Timothy Page

A major cybersecurity breach at Instructure, the company behind the widely used Canvas learning management system (LMS), has exposed personal data belonging to millions of students, teachers, and staff across thousands of educational institutions worldwide — including several in Vermont.

The incident, first reported in early May, has raised serious concerns for families and schools in the Green Mountain State, where Canvas serves as a primary platform for online learning, course management, and communication at higher education institutions and through virtual learning programs.

What Happened?

Instructure confirmed a cyber incident affecting its cloud-hosted environment. The ransomware/extortion group known as ShinyHunters claimed responsibility, alleging they stole approximately 275 million records and over 3.65 terabytes of data from more than 8,800 institutions.

According to reports, the compromised data includes:

• Names
• Email addresses
• Student ID numbers
• Private messages exchanged between users on the platform

Instructure has stated there is no evidence that passwords, dates of birth, government identifiers (like Social Security numbers), or financial information were accessed. The company says the breach was contained, and Canvas has been restored for most users.

ShinyHunters escalated pressure by posting ransom-style messages on affected Canvas login pages, threatening to release the data if demands are not met by May 12, 2026.

Confirmed Vermont links to the Canvas breach:

Vermont’s educational system relies heavily on Canvas. Institutions confirmed or widely reported to use the platform include:

• Middlebury College (Middlebury, Vermont) is explicitly listed among affected institutions in leaked/claimed data summaries from the ShinyHunters breach.
• Vermont State Colleges System (VSC) — including Vermont State University (VTSU) and Community College of Vermont (CCV) — uses https://vsc.instructure.com as its primary Canvas instance.
• Vermont Law and Graduate School uses vermontlaw.instructure.com.
• Vermont Virtual Learning Cooperative (VTVLC) uses Canvas for K-12 statewide virtual courses.

While specific per-institution confirmation for every Vermont district continues to emerge, the breach’s scale suggests broad potential exposure for students and educators who used Canvas for assignments, discussions, and school communications.

Impact on Vermont

Experts and Instructure recommend the following steps:

1. Change passwords for Canvas and any reused accounts immediately. Use strong, unique passwords and enable multi-factor authentication (MFA).
2. Review school notifications for specific details on affected accounts.
3. Be wary of scams: Expect phishing emails or texts referencing real school details, courses, or teachers.
4. Monitor for identity theft, especially for older students.
5. Contact your school district or institution’s IT department for guidance tailored to Vermont users.

Broader Implications

This breach underscores risks of cloud-based education platforms that centralize vast amounts of student data. With finals season disrupted at many institutions and trust in digital learning tools shaken, calls for stronger cybersecurity standards in education are growing.

Instructure continues to investigate and communicate with affected schools. Vermont officials have not yet issued a statewide alert specific to this breach, but residents should check official channels from the Vermont Agency of Education or their local districts.

Sources

• What to Know About the Canvas Cyberattack | TIME
• ShinyHunters Defacement of Canvas LMS…
• 2026 Canvas security incident | Wikipedia
• Cybercriminal group reportedly breaches Canvas, exposing student information | WCAX
• Canvas system used by thousands of schools is back online after cyberattack | WCAX
• Millions of students’ personal data stolen in major education breach | Malwarebytes
• Additional reporting from AP, BleepingComputer, and community discussions confirming Middlebury College as affected.

This article is based on publicly reported information as of May 11, 2026. Details may evolve.