Add the University of Hawaii and Cornell University to the universities that have been hacked by @MarxistAttorney.
The U. of Hawaii data dump, which DataBreaches.net is not linking to, does not contain student or employee personal information, but in addition to acquiring the root username/password, “Attorney” also got the mac addresses, service tags, usernames and more of each and every computer/smart board in their University. The dump only contained approximately 2,000 of the 65,000 lines of data he acquired, he tells this site.
DataBreaches.net emailed U. of Hawaii to ask them to confirm or deny the breach and provided them with the vulnerable url that had reportedly been used to access their system. They promptly acknowledged the inquiry and stated they were investigating, but as of the time of this posting, have not replied with any confirmation or denial.
Long-time readers may recall that during 2009 – 2011, the University of Hawaii had a number of data breaches that resulted in a critical report from Liberty Coalition and a class action lawsuit that was settled in 2012.
Cornell University also appears to have been hacked by @MarxistAttorney. That data dump includes non-sensitive employee contact information (names, work e-mails and phone numbers), as well as what appears to be information on the university’s utilities accounts information (power, heating, gas, etc.) Cornell did not respond to an inquiry by this site as of the time of this posting.
In an interview this week, DataBreaches.net asked @MarxistAttorney about his motivation for hacking universities. While his earlier comments referred to hacking for the “lulz” and to undermine IT departments, he also notes that he hacks to protest:
I am a University student myself, and I am already knee-high in debt. You shouldn’t be forced to pay crazy high tuition fees just because you want to pursue an education and not work at some shit shack like McDonald’s. I can see myself spending half my life after graduating just paying off loans and I don’t want that for myself or anyone else. This is my way of protesting. I hope that by dumping the data of this University, and the various other ones I have done in the past, that they will consider lowering the tuition fees, or making it free to attend university, so students don’t need to suffer like me and millions of others have. Not to mention, this is a University we are talking about here, the fact that they can’t audit their own site and fix sqli vulnerabilities shows how disappointing the monkeys for IT Teams they have.
“Attorney” says that most of his hacks, like these two, exploit SQLi vulnerabilities. In the U. of Hawaii case, the vulnerability has already been patched, Attorney tells this site, but the damage was already done.