Bobdon Popa reports:
Security pentester Kapustkiy has managed to break into the Eastern Indian Regional Council server and access the data of no less than 17,000 students, in an attempt to show once again how vulnerable websites belonging to some authorities across the world actually are.
This breach comes just only a few days after the same Kapustkiy infiltrated into an Italian government website, also exposing login credentials of thousands of accounts.
In this case, Kapustkiy turned to an SQL injection to get past security systems of the Eastern Indian Regional Council website and access a database of no less than 17,000 users.
Read more on Softpedia.
Although the data are referred to as being from “students,” and the council does have a section of the site for students and a “study circle,” the council is the “Institute of Chartered Accountants of India.” So it’s not a university, but does have materials for those studying to become accountants.
The leaked data in one table have the following fields: membership number, password, name, and email address, while the fields in a second table include registration number, name, password, and email address. All passwords were in plain text and generally incredibly weak. I hope those individuals don’t use those same passwords across sites.
The leak was announced from @Kpustkiy’s Twitter account. As he has done in the past, he notified the entity of the vulnerability first
Interestingly, he also announced today that he had removed the file of the breach on the Italian Government. “Enough proof that the database was real. The website is under maintaince.,” Kaputskiy tweeted.