GhostShell university hack: By the numbers

GhostShell university hack: By the numbers

Summary: Yesterday, hacktivist group GhostShell claimed to have breached 100 top university servers, releasing 120,000 records. But how much information was sensitive?

TOPICS: Security

Records stolen from university databases including the University of Michigan, New York University, Princeton and Harvard were made publicly available yesterday, after hacker group leader 'DeadMellox' tweeted a link to the release posted on Pastebin.


The group claimed to have released just a fraction of what they managed to obtain in campaign "Project WestWind", but it still apparently amounted to 120,000 sets of data.

Identity finder analyzed the SQL breach, and found that the 120,000 records -- now available publicly in a number of cyberlockers and mirror sites -- appear to be "authentic enough" to warrant university investigation.

The data analysis discovered that 36,623 unique email addresses and tens of thousands of student, faculty, staff names were disclosed.

In addition, thousands of usernames, hashed and plain-text passwords, addresses, phone numbers and database schema information can be found within the releases.

Sensitive information including dates of birth, citizenship, ethnicity, marital status and gender is also included. Luckily for the universities, only one bank account number could be found -- and no credit card information or social security numbers were contained within the release.

"Based upon a casual sampling of time stamps in the data set, it appears that the hackers spent at least four months aggregating the information prior to release," explained Aaron Titus, Chief Privacy Officer for Identity Finder. "Although the hackers claim to have posted 120,000 accounts, Identity Finder could only confirm around 40,000 accounts exposed. 40,000 accounts is still a large number, and it is possible that the hackers had access to far more."

GhostShell has cited tuition fees, political agendas, tough teaching regulations and job uncertainty for graduates as reasons for the campaign.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What does this accomplish

    If they are making a statement against high tuition and job uncertainty - which are essentially student woes, then how does inflicting further strife on students by hacking and posting their info help anything? I get the message on elitism and fair play, but the people who need to hear that are a very select few at the top, so it seems like this is the wrong way to send that message - it punishes too many regular people in collateral damage.
  • Until there are real consequences...

    The people who's information has been exposed needs to sue each member of the group.

    The group needs to be prosecuted and then jailed in tents in the middle of the desert with no computers at all.

    When finally paroled with the condition they cannot touch a computer type device (smart phones included) for 20 years.

    Maybe they will finally get the clue that their behovoir is not acceptable.
  • Who is more at fault?

    I always have to wonder who to blame in cases like this.

    Obviously there are a lot of businesses and services that can adequately protect their data, so when these breaches happen, should the data storage entity be blamed?
    Case in point: plain text passwords - really? Who at this point doesn't hash and secure passwords?

    Obviously there is some blame to place on the hackers, but I would argue not all of it - maybe half in my opinion. Everyone knows the internet is wide open, so how do databases not get tested for security in 2012?
    • The hackers are all at fault

      Yes, people need to secure their systems but putting blame on them for other people's illegal activity is like blaming the weapon manufacturer for a murder.
      • or

        Or blaming the store owner for putting their merchandise in easy reach of shoplifters..
        • that actually happens

          Stores have insurance for a reason. Their merchandise does walk away. And the stores responded with security measures, and electronic devices to prevent theft.

          Suppose a store sold high end items and had no security - even after being told/shown that they will lose items. Then they totally not blameless. The insurance company would be well within their right to deny the claim, since the store did not take adequate and "reasonable" precautions.

          These students are entrusting the schools with a lot of sensitive data. Data they MUST provide to complete their education. That is not a trivial piece of their lives. Why do the schools consider trivial security adequate?

          Hackers are a fact of life. Plain text passwords? really? SQL injections??

          The schools are not blameless at all.
      • bad analogy

        A more accurate analogy is blaming a weapons manufacturer for a murder committed with their gun after they left it loaded by an open window.

        Obviously there was illegal activity used to get the data, but the data stewards should have done a better job protecting the sensitive data.
        • better analogy

          The gun was on private property behind a door which was not well locked. The hackers did not just stumble on something sitting in an open window. They wanted something specific looked for it and they had to break in. It shouldn't have been so easy to break in but it wasn't just sitting there.
  • hackers are the best testers we have

    Yes they have given developers the best help anyone can get.

    Developers of all levels are guilty of chasing their tails and all at the expense of the customer.

    This will happen for awhile yet because of the secrecy of companies hell bent on making a fortune out of the web.

    Evolutionary practices are the order of the day which means we are a long way off a secure digital world.

    Unless you can come up with a model to factor out stupidity and greed I say live with it..