Human Rights Watch and the children’s mental health charity, Young Minds, have also confirmed they were affected.
The hackers targeted Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software.
The US-based company’s systems were hacked in May.
It has been criticised for not disclosing this externally until July and for having paid the hackers an undisclosed ransom.
In some cases, the data was limited to that of former students, who has been asked to financially support the establishments they had graduated from. But in others it extended to staff, existing students and other supporters.
The BBC has confirmed the institutions affected are:
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- Ambrose University in Alberta, Canada
- Human Rights Watch
- Young Minds
- Rhode Island School of Design
- University of Exeter
All the above institutions are sending letters and emails apologising to those on the compromised databases.
In some cases, the stolen data included phone numbers, donation history and events attended. Credit card and other payment details do not appear to have been exposed.
Blackbaud, whose headquarters are based in South Carolina, declined to provide a complete lists of those impacted, saying it wanted to "respect the privacy of our customers".
"The majority of our customers were not part of this incident," the company claimed.