Dutch universities have warned students to be on the alert for phishing attempts following a cyber attack on educational software containing the personal data of millions of students and teachers worldwide.

American ed-tech company Instructure, which is behind the compromised Canvas software, informed seven Dutch universities that their data had been breached, including Tilburg University, Maastricht University, Amsterdam University, the Vrije Universiteit Amsterdam, Erasmus University Rotterdam,  Tech University Eindhoven and Twente University.

Tilburg University said email addresses, student IDs and messages between users had been stolen, while Maastricht University warned its students to “be extra vigilant in the case of unexpected emails asking for personal information”.

The theft of the data of a total of 275 million students, lecturers and other education workers was made public by hackers group Shinyhunters on Monday. The group targeted telecom provider Odido earlier this year, making off with the personal data of millions of Dutch users.

Canvas software is used in some 44 educational institutions across the Netherlands, but it is unclear if they have all been affected.

It is not known if Instructure, which is currently investigating the breach, has given in to demands for pay to prevent the data from being leaked. Shinyhunters said they will negotiate with the affected institutions individually, with a deadline set for Friday.