Breach at Macquarie Uni, hackers claim 1 million plain text passwords exposed

Breach at Macquarie Uni, hackers claim 1 million plain text passwords exposed

Summary: Macquarie University has had one of its sites breached and left defaced over the weekend, with the hackers responsible claiming to have gained over 1 million passwords stored in plain text.

SHARE:
TOPICS: Security, Australia
6

Macquarie University has had one of its sites breached and defaced over the weekend in an apparent show to demonstrate that its servers' security are not being maintained to a sufficient standard.

On Friday, one of Macquarie University's web applications, designed to assist international students in applying to study, was breached and defaced by two hackers going by the names of "JuliaDaRanga1000" and "AbbotttheFaggot2000." The defacement makes a number of disparaging remarks about the university's security, mocking what they call a complete lack of security.

"Macquarie University, let me ask you this, who the f*** do you hire for security? Oh, wait, there is none," the two hackers wrote on the site.

"When your administration panel is accessible publicly, what do you think will happen? Once again, as I said, anyone could have done it. It just took some investigating. Don't dub me as an elite hacker, because I simply am not.

"Oh well, you make mistakes, you suffer, you learn. That's how it is for everyone, and your day has come.

"PS Your Oracle database was a piece of s***."

 

mqhack
Macquarie University's admissions page at the time of the defacement.
(Screenshot by Chris Duckett/ZDNet)

 

Below that, the hackers dumped the names of the tables in its database. Some of the named tables include TBLAPPLICANTCOREDETAILS_AUD and TBLACADEMICRECORDS_AUD, presumably the details of applicants and academic records.

The hackers focused on one table in particular, named TBLUSER, dumping the first row of data to reveal what fields were available. These included fields that appeared to be for each user's first and last name, email address, and password.

The hackers also uploaded a ColdFusion page that was intended to allow anyone to issue their own SQL statements to interrogate the database at will, and verify for themselves that it was vulnerable, and that user passwords were being stored in plain text. An earlier count of the number of entries in the table shows that if the hackers are to be believed, just over 1 million records were present, dating back to roughly 2007.

ZDNet was unable to confirm what code was used to provide access to the database, but the filename matches a known backdoor that forms part of the fuzzdb project that has the same aim of opening databases to web access. This backdoor only works on ColdFusion 8 and below or unpatched versions of ColdFusion.

Macquarie University told ZDNet that its exposure was limited only to 2600 accounts and that for these, the passwords were encrypted. The university claims that the 1 million records the hackers referred to were not related to the university. It declined to further comment on what those accounts were for or the specifics of the vulnerabilities exploited.

Although the page allowing direct access to the database was removed over the weekend, the defaced site remained up until Monday morning. It is not known who removed the page.

While the hackers' motives remain unknown, one of them claims to have attempted to warn the university of its security issues two years ago.

"I came to your uni. I asked, 'hey guys, do you have anyone monitoring security?' 'are you guys sure that you are secure?'; you neglected me. Shouldn't have. I tried to tell you, you ignored me. F*** you. Trust me; this only took me 20 minutes."

Although the site has been taken offline, Zone-H has since mirrored its defaced state, and Google's listing of the site on its search engine shows some of the defacement text at the time of writing.

A spokesperson for Macquarie University told ZDNet that the site has only been operational for a few weeks, and that it had engaged a third party to host and maintain it offsite on the university's behalf.

"This provider contacted us at 6 a.m. this morning (Monday, December 3) to advise that both site and database appeared to have been compromised; that they had brought the both down immediately, and had commenced an investigation into what had occurred."

The spokesperson also said that the system is isolated, and that no other Macquarie University systems were affected.

"The third-party provider is currently of the view that the system may have been breached via an administrative URL not being correctly secured, and that this probably occurred no earlier than Monday, November 26."

The university is now conducting its own independent investigation, stating that it will "draw on all resources at its disposal to ensure the integrity of its information and that of its community."

In the meantime, the application will remain down until it is confident that the vulnerability has been isolated.

The university has declined to comment on whether it will inform or involve the NSW Privacy Commissioner regarding the breach, however the NSW Privacy Commissioner's office has informed ZDNet that it has received no official notice from the university as of this morning.

Due to the lack of breach notification laws, as well as the uncertainty of whether the leaked information could be used to personally identify an individual, the university is not required by law to report the breach. It is, however, a practice highly encouraged by state and federal privacy commissioners.

Updated at 9.49am: added comment from the NSW Privacy Commissioner.

Updated at 12.18pm: added further comment from Macquarie University.

Topics: Security, Australia

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • What OS was the site running on?

    Oh, Linux.

    Oops.
    toddbottom3
    • any os is...

      vulnerable if you do not secure it properly. leave out ssh public/private key encryption? that will get you bruteforced. misconfigure the db admin panel? anyone can get in... its not about the os - its about hiring someone to penetration test the system.
      petermiller1986
    • What OS was the site running on?

      It wasn't.

      Oops... wrong.
      zenergi@...
  • What do you expect from an ABM CIO?

    Don't think Google on your iPad is much help now Marc?
    Oracle is the bomb?

    https://twitter.com/marcpbailey
    hubivedder
  • the database in question.....

    I have it from a very reliable source that this was NOT an Oracle database
    barry.matthews
    • My money is on it was an Oracle DB

      The hacker seems to know best and Oracle is slow to release patches and makes it hard for admins to then patch.

      What's more interesting is how MQU thinks the problem will go away without anyone making a statement to the effect of who and how many users have been affected. If my personal details - and for an enrollment application process I'd imagine they are extensive - were hacked I'd be very upset at the moment.

      Tragic ... and the CIO who is a bit of a light-weight fanboi hasn't made any comments to date
      hubivedder