The hacking group ShinyHunters, which claimed responsibility, said nearly 9,000 institutions across at least 10 countries were affected, with around 275 million records stolen, making it the largest education-sector cyberattack on record, according to multiple cybersecurity firms tracking the incident.

The Singapore College of Insurance, the Institute of Singapore Chartered Accountants (ISCA), NTUC LearningHub, The Learning Lab, KLC International Institute and The Learning Space SG were also among the Singapore institutions named, The Straits Times reported.

An NUS spokesperson told The Straits Times on May 9 that the exposed data comprised names, email addresses and matriculation numbers.

“No other sensitive personal information, including login credentials, is compromised,” the university said.

On May 10, NUS instructed students and staff who had previously logged into Canvas to reset their NUS passwords, with affected users prompted to do so when next accessing email, VPN or other NUS systems. Access to Canvas has been placed under controlled access from May 11 to 14, with only selected users granted entry for critical academic or operational purposes.

The attack blocked access to Canvas on May 7 in what was the second breach of operator Instructure in just over a week. The U.S.-based company first disclosed unauthorized activity on May 1 on its status page, after detecting an intrusion on April 29, CNN reported.

Instructure later confirmed the second breach exploited its Free-For-Teacher accounts program, which has since been shut down.

MIT, Oxford and Cambridge were also among the universities named on the affected list, according to TechRadar and The Stanford Daily.

In a message posted to Canvas login pages and circulated on Reddit, ShinyHunters threatened to release the stolen data unless schools negotiated.

“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement,” the message read, giving institutions until May 12 before “everything is leaked.” Tox is a peer-to-peer messaging platform.

Instructure said in a statement that the breach was limited to “certain identifying information of users at affected institutions, such as names, email addresses and student ID numbers, as well as messages among users.” It said there was no evidence that passwords, dates of birth, government identifiers or financial information were involved.

The Cyber Security Agency of Singapore said on May 8 it was monitoring the situation. “We have reached out to affected organizations to offer assistance and provide advice on mitigation measures,” it said.

ISCA said the potentially affected data was limited to names and email addresses associated with Canvas. “There is no indication that other sensitive data like NRIC or FIN numbers have been compromised,” a spokesperson said on May 8. The institute said its core systems remained unaffected as they do not continuously sync with Canvas, and that it would notify Singapore’s Personal Data Protection Commission as a precaution.

The Singapore College of Insurance said its own systems were unaffected. “While the incident did not occur within SCI’s systems, we are taking the matter very seriously and are in close contact with the vendor,” it said, adding that learning materials remained accessible to students.

ShinyHunters, a financially motivated extortion group believed to have formed in 2019, has been linked to attacks on Ticketmaster, AT&T, Google and several elite universities including Harvard, Princeton and the University of Pennsylvania.