DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Another week, another list of vulnerable EDU sites

Posted on April 18, 2015 by Dissent

Last week, this site compiled a list of universities and colleges that TeaMp0isoN had reported were vulnerable to SQL injection or XSS attacks. This week, I’ve again compiled their tweets into one list.

As I did last week, I am only providing the names of the schools and not the vulnerable urls. This week, however, I am also including universities reported to have XSS vulnerabilities by XSSposed.org.

The hyperlinks below go to reports of past hacks involving the named university. The absence of a link doesn’t mean the entity hasn’t been hacked – only that I don’t find any mention of a hack for them on this blog.

Bucknell University* (SQLi)
Cornell University (XSS)****
Indiana University (XSS)
McGill University (SQLi)
MIT  (XSS)
New York University (two XSS vulnerabilities reported)
Princeton University** (XSS)
Stanford University*** (XSS)
Truman State University (SQLi)
University of North Carolina (XSS) (multiple hacks and breaches)
University of Oregon (SQLi)
University of Toronto (reported to have “Multiple SQLi vulnerabilities”)
Vancouver Island University (SQLi)
Wayne State University (SQLi)

Notes:

*Bucknell was also listed last week. This is a second SQLi vulnerability.

** Princeton was also listed last week as having an XSS vulnerability. This is another XSS vulnerability in a different subdomain. XSSposed.org notes 3 unpatched vulnerabilities for this university so far this year.

*** Stanford was also listed last week as having an XSS vulnerability. This is another XSS vulnerability in a different subdomain. XSSposed.org notes 8 unpatched XSS vulnerabilities so far this year. In 2013, the university reported a breach requiring a password reset. In 2014, Daniel Trenton Krueger, one of two leaders of the hacking group known as Team Digi7al, was sentenced for hacking a number of entities, including Stanford. It’s not known to this site if he was the attacker in the 2013 breach or there was a second Stanford hack.

**** Cornell  has had other breaches reported on my blog. Most recently, they were hacked in January of this year.

What’s the point of this, you may well ask. Well, I’ve been on a soapbox for years that the EDU sector needs better data security to protect students’ information. Not all these vulnerabilities risk compromising personal information, but it would be nice to see the education sector improve their security – and for some federal agency to actually monitor or take enforcement action against schools that have repeated breaches.

There, I said it again.

Are you listening, U.S Education Department and the FTC?  Are you listening, Congress?

I sincerely hope so.

And if your school is on this week’s list and you want more details, see @TeaMp0isoN_  and @xssposed on Twitter.

Category: Breach IncidentsCommentaries and Analyses

Post navigation

← Teenagers Suspected of Hacking Belgian and French Websites
Has the Premera breach resulted in tax refund fraud? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.