The hackers could have accessed information on nearly one million students through the Mercenat-card and CSN-card sites.
What information they actually accessed remains unclear.
In messages left on the homepages, the hackers wrote that they carried out the attack simply to demonstrate the sites’ weak security.
They added that they didn’t intend to use any of the information they had accessed.
The breach was discovered around 6 o’clock on Saturday evening and within half an hour both websites and their related databases were shut down.
No decision has been taken on when the sites may reopen. Until then, those who have cards connected with the two sites will be unable to use their student discounts when shopping on the internet.
Student discounts for travel on Swedish rail operator SJ and SAS airlines are unaffected by the incident.
Both discount card sites are managed by Mercenat.
“We’re taking the incident extremely seriously and will report it to the police as soon as have collected all relevant information,” said Mercenat managing director Jonas Levin.
The discount card websites do not contain any information about students beyond names, addresses, and Swedish personal identity numbers (personnummer).
Nor do they contain information on people with protected identities.
“It is important to stress that the hackers didn’t penetrate the main website for [student lending organization] CSN,” said Mercenat managing director Jonas Levin.
“No details on student’s financial support for their studies or student loans or any such thing could be accessed,” added Levin.
On Sunday, Mercenat sent emails to students suggesting they change their user names and passwords.