Metropolitan State University updates details on hack claimed by Abdilo

Back in January, reported that Metropolitan State University had acknowledged that they had been hacked. As I reported at that time, a teenage hacker from Australia, who used the Twitter name @Abdilo, had previously claimed in December that he had hacked them via SQL injection, and he thanked them for 22,000 Social Security numbers. They were only one of dozens of education sector hacks Abdilo claimed to have executed SQL injections on because of their “idiotic security.” Abdilo has since had his home raided by law enforcement in Australia. Now Metropolitan State University seems to have updated their disclosure. Pioneer Press reported today that MSU says that  a hacker could have accessed data on about 160,000 past and present students in December, but no financial information was exposed. They are now also providing more details on the type of data involved: The St. Paul school said the data included names, birth dates, contact information and grades. The school said the last four digits of the Social Security numbers of about 11,000 students also likely were exposed; those students will be notified by mail. Metro State said in February that 900 faculty members from 2004-09 had their Social Security numbers exposed. The staff were offered identity protection services. “Likely exposed?” Abdilo claimed in December that there were 22k SSN. I wonder if Australian law enforcement is sharing anything they find on Abdilo’s computers – if he’s turned over his encryption keys and hadn’t destroyed the data he had hacked. I also wonder – no, hope – that Metro State  saw the message Abdilo included to them in his February paste – months after the initial hack and their disclosure of it: illy for publicly announcing you got sqli’d, but check your subdomains you are still vuln to sqli <3.

Aussie teen hacker Abdilo’s home raided, and he’s ordered to turn over his passwords and decryption keys

Will Ockenden and Benjamin Sveen report that the teenage hacker known as “Abdilo” had his home raided by Australian law enforcement in a pre-dawn raid. has reported on a number of Abdilo’s claimed hacks, which included an Australian travel insurance company, the University of Sydney, and numerous educational institutions in the U.S. and elsewhere.  Most of his attacks exploited SQL injection vulnerabilities, as he pointed out in an in-your-face post to a mail list on security in the education sector. ABC reports: An AFP spokesperson confirmed to the ABC search warrants were recently executed in Queensland as part of an “ongoing investigation” into the hacking incidents. The police would not comment further, saying the investigation is still ongoing. The ABC learnt of the raids via Abdilo, who is known online under other pseudonyms such as Notavirus, Surivaton and Grey Hat Mafia’s Bitch. Read more on ABC (AU), who also report that the Australian Privacy Commissioner is investigating the Aussie Travel Cover breach, as the firm reportedly did not notify policy holders, despite Abdilo claiming that he had “hundreds of thousands” of customers’ details.  

Update: U. of Sydney hack was by Abdilo; Dozens of others attacked, too

Earlier today, I posted a breach involving the University of Sydney. As an update, can now report that the breach was the work of Abdilo, who has made a point of going after universities (as other posts on this site have demonstrated).  Abdilo had dropped hints about an Orsee 0day previously. Today, however, he made it clear that this was his attack, both tweeting about it and posting this on Pastebin: notice my hint: #or can you see it? #That is the question #OR can you SEE it orsee [remainder of paste redacted by so as not to provide others with directions for compromising sites] Note that the University of Sydney was one of the educational institutions Abdilo had noted was vulnerable to exploiting an Orsee vulnerability in a post he made to Pastebin on February 2, although at the time, he didn’t name Orsee. Because his claims have now been confirmed by one of his targets, is publishing his list of vulnerable institutions  and organizations in the hopes that they will investigate, determine whether they have been hacked through Orsee, and secure or disable the application: x uni-mannheim.e If your university isn’t on the list, don’t breathe a sigh of relief too quickly. Check out this larger list of universities Abdilo claims to have hacked via SQLi.

Dear EDUCAUSE Security Maillist – some advice from Abdilo

When someone who’s either hacked your databases or is likely to hack them in the future tells you how to prevent his type of attacks, you might want to pay some attention. Seen on Pastebin, as posted by Abdilo: Dear EDUCAUSE Security Mail-list, ( Good luck profiling me <3 ) How to stop me from owning your shit: Read this: Spend 10 minutes google dorking your own site: ext:asp OR ext:aspx OR ext:cfm OR ext:jsp OR ext:do OR ext:php Write down what extensions you have. Then do this: ext:asp inurl:asp*id (Do this for the rest of the extensions as well) then test each result for sqli, and put -filenameyouauditted and continue. Viola you have just found sqlis in your sites and now follow to fix them. Now for the hard truth: you cannot secure from sql injections, xsses, rces, lfis, rfis, or any kind of vuln you let me upload shells via any upload script you have on your site(Even if its in admin it is still a risk) you give me database admin you give me xp_cmdshell as nt authority you run mysqld as root you give your subdomains database admin (Ever wonder how china gets your medical records?) you dont check your subdomain’s access.log (I’ve had a subdomain on one of the more “secure” edu websites dump for 3 months straight and you could of caught me if you checked access.log 🙂 ) you leave CFIDE open and vulnerable you run outdated kernels you run outdated versions of php and apache you are lazy you check nothing you audit nothing you trust ids too much you do not listen because your egos are too big(If you call up one a uni and say they are vuln to sqli they scream “NO WE ARE NOT”) Dont set your ids to australia, i use vpses to dump the dbs not my aussie ip(8kbp/s is not great for dumping dbs LOL), i dont use tor either when i dump dbs, i use my vps/dedi ips. Towards your idiotic remarks about having friends in afp…. that was pathetic and i laughed for 10 mins almost falling onto the ground: You are a bunch of kids yelling for the principal when someone tricked you into telling them your crush, they didnt release this info but you are still as mad that they know who it is. Instead of learning from it you leave yourself vulnerable to other attackers. I can go to prison and there will still be hundreds of other people stealing your dbs. I have taught a select few people my exact ways, and they themselves can go pwn your edu sites within minutes just like me. I would not exists if your security was not based from 1990s principles. Please for the love of god learn to fix your sites!!!(Go ask @TroyHunt to help you secure your sites if you cannot understand bobbytables). Tip for those using msaccess: put some long as hell random prefix on your tables and columns that way no one can figure out the names and thus you loose little to no data when you get sqlied message me if you want the sqli, you are the only uni I respect. illy for publicly announcing you got sqli’d, but check your subdomains you are still vuln to sqli <3. Edu security from shittest to best: USA — UK — SOUTHKOREA — EVERYOTHERCOUNTRY — AUS As for me, fuck your edus i have owned them all, im done with your idiotic “security”, in a year or so i will come back and audit them all, except i will go and drop your damn tables and format your drives, i suggest fixing your sites before then.(I cannot stop other people from going and raeping your sites, only you can) Sincerely, Abdilo PS: Use this song as a timeframe for you to find sqlis in your site: If you fail to find sqlis before then, then you are slower then all the people i have taught

Metropolitan State U. disclosed breach, but what about other .edu targets of Abdilo?

On December 31, a self-described teenage hacker from Australia who calls himself “Abdilo” claimed to have hacked into dozens of education entities by exploiting SQLi vulnerabilities. Metropolitan State University acknowledged they were breached, but what is going on with the other educational entities that were allegedly hacked, too? Abdilo claims that he started attacking .edu sites back in August, and by October had 80 .edu sites compromised.  He also claims to have numerous .gov, .mil, and business companies, but this post is only focusing on the education sector attacks, as we haven’t seen any public disclosure from most of them. Do they even know they were allegedly hacked? Abdilo claims to have hacked public and private educational entities in the U.S. and elsewhere. His list, below, is edited  to only include the .edu entities he claims to have hacked, with his comments: Here are some of the sites i messed with: every *.k12 site is vuln to sql injection. broke into you cause i like 22 jump street, thanks for the 22k ssns) reason) steven hawkings) school my ass) guy found a sqli in you then i found a better one… fuck you) easy) a challange but they are dumb) for the 6k sqlis loved it LOL) sqlied you 4 times while obnoxious called you up on the phone to troll you and tell you, then we decided to fuck with you by dumping your database 4 times then asking for booty pix else we release it) Catholics? lol I have no reason I just did it for the hell of it) I has all ur records) are all christian schools vuln to sqli besides MERCY FOR YOU)…. I have nothing funny to say lol) another chirstian school) alexa rank) are yuky) you have a shit alexa rank) was watching dexter and wanted to get into your police station… this was close enough for me) fixed it don’t worry, twas funny having a sqli in a 1.5k alexa rank site) the law) facts are really messed up ;)) idea why I attacked you lol your name is a bitch to type) university of oregon… you mad?) ;))****** ;)) thought you were a news agency) have no alexa rank.. at all) 2,063,219…….) domain, that is all) you tiny) were worth the time and effort) U DUMB AS FUCK) easy) And that, allegedly, is just some of the .edu sites attacked. Abdilo writes: I cannot remember the majority of edu/gov i have sqlied, i didnt keep a good enough record and one of my hdds is now… melted and destoryed. Note that the University of Kentucky was recently mentioned on this blog in the context of a post about hacks mentioned on #TeamCarbonic’s web site by @MarxistAttorney. And although they informed this blog that they were investigating those claims, they never got back to with any statement as to whether they had found confirmation of a breach – by anyone.  Berkeley was also mentioned recently on this blog, but without exploring the data dump, it is not known to me whether this is the same hack as Abdilo claimed. Abdilo claims that he wanted to see what would happen, and notes that despite all his attacks on .edu, .gov, and .mil, “no cops came calling.” One would think they would. In the interim, if anyone is aware that any of Abdilo’s other targets have subsequently acknowledged being hacked, please use the Comments section below to let me know.

SCOOP: Australian national known as “DR32” to stand trial in U.S. on hacking charges

Australia has ordered an Australian national, David Kee Crees, extradited to the U.S., where he faces 22 counts involving hacking, fraud, and aggravated identity theft. Two of Crees’ better-known aliases were “Abdilo” and “DR32.” “Abdilo” DataBreaches started reporting on Crees in 2015 when he was known to this site as “Abdilo.”  At the time, he targeted so many educational institutions that this site reported on him about a dozen times. But his hacks of educational institutions were not his only activities; he was also attacking Australian businesses and government agencies. In those days, however, his attacks on government agencies did not cause severe damage as he attacked web applications that contained either public information or information that would be made public. In December 2014, Brian Krebs reported on abdilo in a post about Lizard Squad, the group that spoiled Christmas 2014 for many people by launching a DDoS attack on PlayStation Network and Xbox Live. Discussing abdilo, Krebs wrote, in part: It’s worth noting that the individual who registered LizardStresser is an interesting and angry teenager who appears to hail from Australia and uses the nickname “abdilo.” In the comments under the post, a commenter named abdilo as “David Crees” and mentioned other aliases of his:  Notavirus, Surivaton, and Grey Hat Mafia’s Bitch. His Surivaton alias most recently appeared on March 1 of this year on Github for a “RemoteBGPHijack” repository. Although abdilo was a bit of an energizer bunny in his hacking back then and even live-streamed his SQL injection hacks, he was either unconcerned about getting arrested or had poor OpSec. In early 2015, Abdilo had already been raided by the Australian Federal Police, but even that didn’t deter him. What happened after that is not as well publicly documented as his earlier activities. In fact, in 2018, this blogger even tweeted a query as to whether he was still around or active.  Abdilo got in touch with DataBreaches, but didn’t say much about what he was involved in or doing at that point. Some open source searches revealed that in 2019, Crees registered a business in Australia that he called SQLI. It was registered at an address in Oaklands Park.  In 2021, Crees registered a second business that he called ROOTKIT. It was registered at an address in Collinswood. Court filings by the U.S. allege that these businesses were used for money laundering purposes. Although DataBreaches lost track of abdilo,  he was reportedly very busy. In 2021, the U.S. presented a case to a grand jury in Colorado. On December 7, 2021, the grand jury indicted Crees on 22 counts. The case arose from an investigation by the U.S. Department of Homeland Security, Homeland Security Investigations (HSI) and covered a period  from approximately June 2020 to July 2021. During that time, DHS/HSI used undercover agents who made deals with Crees and investigated his claims. In all of the incidents described below, Crees was dealing with one undercover agent who claimed he was representing a buyer or potential buyer. A second undercover agent would sent payments to Crees as part of the deals being made. Consistent with U.S. policy in filing indictments and documents that will be made public, the names of the victim entities are not included in the indictment and affidavit in support of the extradition request. Only general descriptions of the entities are provided in the court filings, although Crees will be informed of the actual identity for defense purposes. Note: The bulk of this report is based on the indictment by the grand jury in Colorado and the affidavit in support of the extradition request. These documents are not publicly available in the U.S. at this time and are still under seal here. They were obtained from the Australian court that heard and ruled on the extradition request, with the understanding and agreement that DataBreaches would not reproduce the filings in any publication. Any images included in this article were obtained by DataBreaches via OSINT research and not from any court documents. Typos in quoted statements by DR32 are as in the court filings. Who Is David Crees? Crees is a 24 year-old Australian national who at times, has used his real name on internet forums and platforms. The pictures of Crees in his Twitter header, below, match other photos of him obtained by the U.S. government. Crees was very engaged in biohacking and would post pictures of his hands and arms to show implanted LEDs. The photos he posted of himself were used by law enforcement to help confirm his identification.   U.S. law enforcement did not find it terribly challenging to identify DR32 as Crees. In his conversations with the undercover agent, Crees told the agent that he lives in Adelaide, Australia and used to live in Alice.  On another occasion, Crees mentioned that he had acquired a famous email address. When the agent received an email from that address, the name on it was “David Crees.” But there was more. Because Crees was so involved in biohacking and posted on a manufacturer’s forum, the government was able to get the manufacturer’s records as to whom and to where they had shipped items Crees had posted about.  It didn’t hurt that Crees had actually posted as “Abdilo/David Crees.” The manufacturer’s records show that they had shipped to David Crees at  8 Redmond St Unit 4, Collinswood, South Australia. That is the same address where Crees had registered his “Rootkit” business under his real name (see figure above). In addition to the aliases mentioned above, Crees did have other aliases, some of which were shared. Crees Charged with 22 Counts As an overview of what Crees has been charged with, the following is a summary of the 22 counts he is facing: Counts Description Counts 1-7 Fraud and related activity in connection with computers, and aiding and abetting, in violation of Title 18, United States Code (U.S.C.), Sections 1030(a)(2)(C), 1030(b), 1030(c)(2)(B)(i), and 2, which carries a maximum penalty of five years in prison for […]

Follow-Up: How the University of Sydney Was Hacked

Back in February, we noted a hack involving the University of Sydney.  A young hacker named “Abdilo” claimed responsibility for it and noted that he had exploited an Orsee vulnerability. Last week, Chris Howell of Honi Soit followed up on the breach: Closer to home, a reliance on security through obscurity seems to be partially responsible for the February 2015 breach of the University’s Online Recruitment System for Economic Experiments (ORSEE), which disclosed the personal information of 5684 students and an unknown number of staff to an as yet unidentified attacker. The incident has led to concerning revelations about the University’s information security policies, serving as yet another reminder that large organisations are failing to do all that they can to secure our data. The ORSEE breach occurred because the system contained a fundamental security flaw. Known as an SQL Injection vulnerability, an examination of the ORSEE source code reveals the bug existed unpatched in the system from its first main release in 2004 to August of 2014; for a little over a decade, ORSEE was trivially easy to break into. The moment the School of Economics deployed the system in 2008, they were risking the disclosure of users’ private information. Honi has obtained a copy of a report detailing the findings of the University’s internal investigation into the breach. The report indicates that ORSEE was initially deployed by the Faculty of Arts and Social Sciences without a security audit. In 2013, five years after its deployment, the University’s ICT group identified the vulnerability as part of a security review and developed a patch for it, seven months prior to the official patch distributed by the ORSEE developers. Shockingly, the University didn’t bother to deploy its security fix “as further development work was being done”, seemingly waiting until a planned upgrade to use the Unikey authentication system was complete. For over a year, the University knew about the vulnerability, but relied on security through obscurity and, utterly unsurprisingly, it was as if they had relied on no security at all. Read more on Honi Soit.

Northwestern U. hacked, but no personal info on server

Part of Northwestern University‘s network has been offline for over a week as a result of a hack first disclosed on Twitter. On April 5, “MLT” reported a XSS (Cross-Site Scripting) vulnerability on involving And then this happened: Some Random University Login page : Admin Email : [email protected] Password : manager Yours Truly, ~Chief. — Chief (@Puttied) April 6, 2015 According to statements made to by @Puttied, he acquired six login credentials, but didn’t attempt to download or acquire any other data. He says that although he defaced the site by redirecting the “Home” button on their control access panel to his Twitter account, it still took the university three days to realize they’d been attacked and to take the server offline. @Puttied informs that although he was aware of the XSS vulnerability, he attacked the site using an SQL injection. This is not the first time this year that Northwestern U. has had reported security issues. In January, @AnonGhost (whose Twitter account is now suspended) announced a defacement of their youstem subdomain. A screenshot of that defacement can be found here. Then in February, SLC Security noted that open-source intelligence suggested that Northwestern University was compromised, but no further details or confirmation was provided. SLC Security’s observation was noted on this site on Feb. 3. Whether Northwestern U. ever took note of those reports is unknown to this site. As noted ad nauseum, the number of schools with SQLi vulnerabilities is legion. As recently as April 6, SLC Security reported: Colleges check for SQLi on your systems! Honestly for the past few months we have seen nothing but a rash of colleges and universities getting smacked with SQLi exploits. Test your servers or I’m sure the hackers responsible for these attacks will test it for you.We have at least 26 confirmed reports of breaches of which some have been reported and some have been brushed under the rug… To which this blogger says “Amen!” I hear every day from young hackers who are more than eager to test their skills with SQLi exploits on universities. And as much as I’d hate to encourage them by publishing their hacks, I will publish at least some of them because schools need to wake up and do a better job of securing their servers. Just as Abdilo was very “in your face and up your servers” to universities about targeting the education sector for their lax security, @Puttied also has a message for Northwestern University: You’re a University site with the extension .edu at the end of it, therefore the government sees you as a priority. There are charges for hacking or tampering with an educational site, but i think you should be able to fix simple sql or xss vulnerabilities. The carelessness of not doing that has given someone like me a toy to play with, therefore you suffer. emailed Northwestern U. yesterday and asked a number of questions about what was on the compromised server and  what they were doing to prevent future attacks. Today, the university sent this statement: The server was used by Northwestern’s Block Museum of Art and had the index to the museum’s art collection so people could search the collection online. All of that is public information. No personal data was stored on that server. The server is being replaced. So, no big deal? This time, maybe.

“University of Racism” hacked; will others go after U. of Oklahoma student records?

“Because none of them seem to give a shit…” – a hacker commenting on the lack of response to notifying the U. of Oklahoma that he had hacked them.  This blogger has repeatedly lamented the generally inadequate data security in the education sector and the fact that no federal agency actually enforces data security at the post-secondary level. Over the past few months, has posted numerous examples of universities that were attacked by SQLi attacks launched by Abdilo, Attorney, and Carbonic (among others). With a few notable exceptions, the universities either did not notice the attacks or did not acknowledge them publicly. Even when hackers publicly alert institutions to their hacks on Twitter, the colleges and universities either do not seem to notice or respond. Last week, a self-proclaimed hacker tweeted to both the University of Oklahoma and South West TAFE in Australia that he had hacked them. While the tweets to U. of Oklahoma are no longer available, an archived copy of two of the tweets was made available to The tweet to South West TAFE is still available: @swtafe nice users on your server — Chrichir (@ChrichirTheGod) March 12, 2015 Neither the U. of Oklahoma nor SWTAFE responded to the hacker’s tweeted alerts of March 11. Nor have they (yet) responded to breach alerts sent to them last night by this site. Both hacks involved SQLi and the e-mailed breach alerts contained the vulnerable url used. The hacker informs that because they did not respond to his tweets, he dumped their  table structures in public pastes on March 12. Given that the U. of Oklahoma has huge problems right now with the scandal over fraternity racism and free speech issues, ignoring the easy access to their databases when they should know that they are likely to be targeted by hacktivists  is just… unwise. The tweets and the  “University of Racism” reference in the paste should raise concerns that this might just be the beginning of more attacks to gain access to internal memos and/or student records. In December, the U. of Oklahoma disclosed a breach involving its nursing college web server. What will it do now? “Chrichir,” who claims to have operated alone in these attacks, informs that no personal information on students was downloaded, although “it would be easily possible to re-do” the hack. In a conversation with, he described his efforts to get U. of Oklahoma to respond: And I told them I was able to access it, and then posted details from private posts to their office from 02-now and then no response …. I tweeted them because they had no response, ever. Then I released it [the paste] because STILL no care for their shit or that I was on their server. It’s like they don’t care about their security at all in the slightest? I’m sure U. of Oklahoma would say that the security and privacy of student records is of their “utmost concern.” But does their lack of response betray any such claims? So what will U. of Oklahoma (and SWTAFE) do now? And will it be enough to protect personal information held by U. of Oklahoma from angry hacktivists?

@MarxistAttorney tweet suggests he’s been arrested (corrected and updated)

Update of March 19: “Attorney” informs that he was not arrested and was just taking a break. Original post: It appears that a young hacker who goes by the online handle of “Attorney” (@MarxistAttorney on Twitter) has been arrested. In a tweet tonight, he wrote: Well this is the end my friends, it was a good run. My final tweet goes out to @lollsuru @abdilo_ @savakasavior @PogoWasRight #FreeAttorney. — Attorney (@MarxistAttorney) March 8, 2015 “Attorney’s” claimed hacks that had been reported on this site included California State University, University of Kentucky, University of Connecticut, University of Maryland, Coastal Carolina University, Abertay University, University of Hawaii, Cornell University, University of Chicago, and the recent Rogers hack. At various times, he was affiliated with different groups such Carbonic, and more recently, TeamHans. Following the Rogers hack, “Attorney” (who described himself to as a college student) indicated he was not afraid of being arrested. In fact, he really didn’t seem to make much effort to hide his identity or cover his tracks, as evidenced by the fact that the Rogers hacked email was directed to an email address that “Attorney” had previously identified as his. Given that an extortion attempt was involved (the hackers admitted they offered to not publicize the breach or dump data if Rogers paid them 70 bitcoins),  the use of a previously known email address was a bit surprising. It is not known at this time whether “Attorney” has actually been arrested and/or charged in the Rogers hack. This post will be updated as more information becomes available.