Cyber Sentience said it found the information being traded on websites on the so-called dark web for just a few dollars last year.
In a report published on Monday, it said it also found evidence hackers were using a New Zealand primary school's website as a training ground to practise hacking.
It said cyberattacks on New Zealand education institutions were growing exponentially, and schools in particular needed more protection.
Information for sale last year included alleged vulnerabilities in the IT systems of seven of New Zealand's eight universities, access to 556 education sector web services and to 31 institutions' email services, it said.
Hackers were also sharing the logins and passwords of 2359 people in universities, polytechnics and industry training organisations and for countless people in schools.
It said one hacker was selling backdoor access to a primary school's IT systems and others were sharing a database stolen from a secondary school.
Cyber Sentience founder Tom Crisp said stolen personal credentials generally sold for between $US2-$10 ($NZ3.30-$16) and access to a New Zealand school's webserver was listed for $US8.
Crisp said he did not know if any of the hacks had resulted in financial losses or blackmail of individuals or institutions.
He said several posts indicated hackers had discovered and shared a vulnerability in a web application belonging to a New Zealand school several years ago.
"A few years later, we detect Russian, Turkish and Arabic-speaking threat actors in closed communities sharing this vulnerability as a 'training target'. Interactive mentoring encouraged and supported the abuse of this school's system.
"One of the locations where this activity was occurring is known to be state aligned, with the others focused on e-crime and hacktivism."
'On the money'
Ministry of Education chief digital officer Stuart Wakefield told RNZ he could not confirm the report's details but its broad findings about the types of problems affecting schools were "definitely on the money".
Wakefield said schools' computer networks were well-protected, but students and staff often used their computers and phones at home and for purposes other than school-work.
"What this report shows is students are using things like their school-issued email address as their username on a whole range of websites and systems and apps and services, and some small number of those has been compromised," he said.
Wakefield said the ministry contacted schools when it found that student or staff credentials had been stolen, but it was hard to stay ahead of the hackers.
"We're always playing a little bit of catch-up here. We're talking about an organised criminal enterprise here that is trying to exploit not just schools and kura but all New Zealand organisations and all New Zealanders," he said.
"To that extent that we can we are putting all our effort into things that mitigate that risk, so precautions such as use of two-factor authentication and making sure people have strong passwords and making sure their devices are kept up to date with the latest patches."
Universities use existing expertise
Wakefield said Cyber Sentience had refused to provide detailed information without payment.
Crisp said the company had arrangements with other organisations which meant it could not share further information with the Ministry of Education without a formal agreement.
Meanwhile, universities dismissed Cyber Sentience's approach to them earlier this year as an attempt to generate business.
Universities New Zealand told RNZ its members preferred to use their existing in-house or third-party expertise to manage cyber security.
It could not confirm whether universities investigated alleged vulnerabilities raised by Cyber Sentience and universities did not answer RNZ's questions about whether those vulnerabilities had been investigated and found to exist.
AUT and the University of Waikato said Cyber Sentience's information did not raise any concerns.
RNZ reported last year that a major school IT project was on hold because school's IT systems were too vulnerable to hacking, and an assessment in March 2022 found major gaps in schools' cybersecurity.
