GhostShell university hack: By the numbers

Records stolen from university databases including the University of Michigan, New York University, Princeton and Harvard were made publicly available yesterday, after hacker group leader 'DeadMellox' tweeted a link to the release posted on Pastebin.

The group claimed to have released just a fraction of what they managed to obtain in campaign "Project WestWind", but it still apparently amounted to 120,000 sets of data.

Identity finder analyzed the SQL breach, and found that the 120,000 records -- now available publicly in a number of cyberlockers and mirror sites -- appear to be "authentic enough" to warrant university investigation.

The data analysis discovered that 36,623 unique email addresses and tens of thousands of student, faculty, staff names were disclosed.

In addition, thousands of usernames, hashed and plain-text passwords, addresses, phone numbers and database schema information can be found within the releases.

Sensitive information including dates of birth, citizenship, ethnicity, marital status and gender is also included. Luckily for the universities, only one bank account number could be found -- and no credit card information or social security numbers were contained within the release.

"Based upon a casual sampling of time stamps in the data set, it appears that the hackers spent at least four months aggregating the information prior to release," explained Aaron Titus, Chief Privacy Officer for Identity Finder. "Although the hackers claim to have posted 120,000 accounts, Identity Finder could only confirm around 40,000 accounts exposed. 40,000 accounts is still a large number, and it is possible that the hackers had access to far more."

GhostShell has cited tuition fees, political agendas, tough teaching regulations and job uncertainty for graduates as reasons for the campaign.