ShinyHunters group claims breach of nearly 9,000 US schools, stealing 280 million records

US universities including Harvard, Stanford and thousands of other institutions have been hit by a massive cyber hack following an earlier data breach.

The attack on Thursday, claimed by ShinyHunters, a well-known cyber extortion group active since at least 2019, saw access to the Canvas learning platform blocked.

The group claims to have compromised 280 million student and staff records from 8,809 colleges, school districts, and online education platforms.

According to the Harvard Crimson student newspaper and posts on social media, students attempting to access the system saw a message from the hacking group saying servers belonging to Canvas's parent company Instructure had "again" been breached.

"Instead of contacting us to resolve it they ignored us and did some 'security patches,'" the hackers said.

"If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately...to negotiate a settlement."

The group warned it would release all stolen data if schools did not make contact by May 12.

The message included a link to a list of schools ShinyHunters claims to have breached through Canvas.

Many universities across the United States, including Columbia University, Rutgers, Princeton, Kent State, Harvard and Georgetown, issued statements alerting students to a cyberattack affecting institutions nationwide.

School districts in the US states of California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, and Virginia have also been affected.

Stanford University said Canvas was "currently unavailable due to an issue being experienced by the vendor," adding that Instructure had recently disclosed a nationwide information security issue it said had been contained.

But a further outage was now affecting Canvas customers including Stanford and "numerous other educational institutions nationwide," the university added.

Instructure said the stolen data in the original breach included personal details such as names, email addresses and student ID numbers, along with private messages exchanged between users.