DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

University of Washington and other universities hacked. Again. And again.

Posted on March 3, 2012 by Dissent

The message at the top of a paste by two hackers pretty much nails it:

A few days back, Team ITNRA hacker ‘HaxOr’ hacked into the University of Washington using a SQL injection. The SQL injection that was abused was fixed, but that doesn’t mean there wasn’t more. Just because someone finds an SQL injection vulnerability in a website doesn’t mean they’re so amazingly good. Anyone can do it, to be quite honest. Just thought I’d share that though.

And so, in yet another breach of U. Washington’s servers on February 29, hackers dumped 31 database users’ logins and passwords as well as 25 WordPress users’ logins, passwords, and e-mail addresses. All passwords were encrypted.

U. Washington is certainly not alone in needing to harden their security. Indeed, there are so many uni sites that have been hacked using SQLi that one blogger simply batched a number of breaches during November 2011 involving the University of Washington, University of Oregon, Maricopa Community College, Stanford University, Harvard School of Engineering and Applied Sciences, and Michigan State University. And in a paste made a few weeks ago, one hacker, “Joinse7en,” provided a list of specific SQLi vulnerable urls for:

  • University of Nebraska-Lincoln
  • University of Wisconsin-Madison
  • Purdue University
  • Northern Arizona University
  • University of California, Los Angeles
  • University of Washington
  • Ohio State University
  • University of California, Berkeley
  • University of Hartford
  • Washington and Lee University
  • Texas Christian University
  • University of North Carolina at Chapel Hill
  • Dowling College
  • University of Houston
  • Nebraska Methodist College
  • Yeshiva University

Whether those leads were acted upon is not known at this time, although a quick search on Pastebin does not turn up any new hacks for the sample I checked.

Thankfully for universities, at least some hackers are taking a break from hacking universities. In a notice published several days ago, two hackers involved write, in part:

We’re suspending Operation Education as the months go by. We may resume Operation Education in the future, but as of now, we’re merely people playing with others.

We, N0B0DY and N0LIFE, want to say that we had a bit of fun getting into the universities that we got into as a part of Operation Education (#OpEdu).

University of Washington
University of Arizona
Cincinnati Christian University
Valley Forge Christian College
University of Florida (Privately)
Cambridge University (Privately; Also e-mailed them; Vulnerability not fixed as last checked)

We’re releasing this public statement to announce that #OpEdu will be delayed for the upcoming months.

The universities around the United States are very well known, whether it be sport-related, academic-related, etc, but that doesn’t mean the have the best security.

All we have done is SQL inject these universities, and it’s quite a disappointment to see that universities are in danger of losing data, as well as getting data released.

We showed people that. We’re aware that we haven’t done much, and the list of universities that could be accessed via SQL injection goes on and on, but we showed people that universities are vulnerable. People just haven’t found them.

I’m surprised that this month has been the month that universities have been getting hacked over and over, especially University of Washington. We’ve shown these universities that they need to take better care of security rather than making themselves look like the “best they can be” when hackers can ruin that reputation in one leak.

Universities amass a tremendous amount of personally identifiable information and it’s clear that even large universities are maintaining databases that are inadequately secured.

But if you’re surprised by the listing of universities that were hacked in recent weeks because you didn’t see any reports in the media, don’t be.  The mainstream media has not really been following what’s going on on Pastebin or other dump sites, so many  uni’s escape negative media coverage.

It’s clear, however, from what’s been posted by hackers that the state of data security in higher education leaves much to be desired. So what’s the answer? The U.S. Department of Education does basically nothing to ensure uni’s have adequate security and FERPA provides no private cause of action in the event of a privacy breach. How many class action lawsuits would it take against uni’s to get them to finally address some of what should have been addressed long ago?

And if uni’s fail to get pastes with personally identifiable information removed from Pastebin or other similar sites, wouldn’t that go a long ways to showing negligence and callous disregard in any class action lawsuit? Why are pastes with PII still up on the web?   Just saying….

No related posts.

Category: Breach IncidentsEducation SectorHackOf NoteU.S.

Post navigation

← AU: St Vincent's Hospital in Melbourne used confidential medical files to get donors
Space Agency Websites Exposed As Vulnerable to XSS Attacks →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Obligations under Canada’s data breach notification law
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.