DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Some City University of New York data found on dark web market

Posted on June 9, 2021 by Dissent

One of the newer leak markets is Marketo. Marketo claims, “We put up for sale network accesses and passwords of networks of companies that do not contact us.”  They also maintain a Telegram channel where they elaborate on their service:

We are an independent marketplace for free placement and sale of data stolen by hackers. We are not affiliated with popular ransom groups today and condemn their work as it can harm people in the process of blocking networks and PCs. We are only concerned with information, and if it is of value, as Nathan Rothschild told us, then it can be sold and that is our business model. You can take a look around our site and contact us. Select the item you are interested in.

Listing on Marketo. Image: DataBreaches.net

In mid-May, when DataBreaches.net first became aware of the Marketo site, it contained a statement about entities that were then currently under attack, and a brag that their success rate was better than 85%. One of the sites allegedly then under attack was cuny.edu, the City University of New York. DataBreaches.net reached out to CUNY to ask them if they were aware of the claimed ongoing attack and to give them a heads up if they hadn’t been. The email was sent to security@.  They did not respond at all.

On May 31, Marketo listed CUNY.edu as completed, claiming that they had exfiltrated 11 GB of data. Their proof of claim package consisted of relatively innocuous files.

DataBreaches.net reached out to CUNY again to ask what it had done after this site had tried to alert them to a problem, and to ask what data the threat actors had acquired. Again, there was no response.

So DataBreaches.net asked Marketo what they could or would tell me about that incident, including when the attack began and when it was completed. I also asked whether personal nformation of students had been acquired. A Marketo spokesperson replied:

So, first, I can’t tell you about the date of the attack. Second, we don’t have the students data, so I’ll guess this won’t be much of an interest for you, but what we do have is contact payments, budget reports, projects, contracts and etc.

Marketo promised to provide additional details in a few days, but from the sound of things, this breach likely does not involve a lot of personally identifiable information — or even any. But what did CUNY do when this site attempted to warn them that they were supposedly under attack? How did they follow up, or didn’t they?

Today, DataBreaches.net sent a press inquiry to CUNY, asking what CUNY had done in response to the May 16th alert and to the attack itself.

So far, there has been no response.

This post will be updated if a response s received.

Category: Breach Incidents

Post navigation

← CA: Victor Valley Union High School District
Middletown Man Sentenced To Six Months of Home Confinement For Damaging Former Employer’s Computer Network →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • Ireland’s Data Protection Commission publishes 2024 Annual Report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.