Extensive Database Hack Includes Job Applications, Poetry
New York, NY – June 26, 2012. Identity Finder has analyzed 3.83 GB of data purportedly hacked from the San Jose State University Student Government's website. The hack was announced the night of Monday, June 25, 2012 on Twitter, by a hacker going by the name "S1ngularity." Identity Finder notified the school about the breach early this morning.
The breach appears to be an extensive hack of the Associated Students SQL database, using a SQL injection attack. A SQL injection attack is a website vulnerability where an attacker tricks the website into sharing restricted database information by typing special commands into web forms. SQL Injection vulnerabilities are easy to fix, and the hacker reports that the website was patched just after the hack occurred. Based upon the modified dates of the breached files, the attack appears to have occurred over a 14-hour period between evening of June 22 through mid-day June 23rd.
The database included a wide range of information from 2003 through 2012 including event registrations, poetry, job applications (including work histories, references, and questions regarding past convictions), work schedules, time cards, funding receipts, book exchange information, polls, job postings, laptop inventories, and website content. Identity Finder found no evidence that passwords, social security numbers, student IDs, or contact information was encrypted or hashed.
Identity Finder found the following information in the data:
- Approximately 10,000 valid social security numbers, in a column labeled "SSN." Fortunately, there was no apparent way to associate any of the SSNs with individuals' names. Update: 5:00pm Eastern: The University asserts that although the nine-digit numbers in the column labeled "SSN" are valid social security numbers, they are actually student ID numbers. If true, this is cause for celebration.
- 22,130 unique email addresses. Of those:
- 7,645 (34.5%) are yahoo.com accounts.
- 4,772 (21.6%) are gmail.com accounts.
- 2,992 (13.2%) are hotmail.com accounts.
- 1,408 (6.4%) are aol.com accounts.
- 1,297 (5.7%) are sjsu.edu accounts.
- Hundreds of plain-text passwords for various web services, but student campus login credentials do not appear to be compromised.
- Hundreds of drivers license numbers
- Thousands of phone numbers and addresses
Update: 1:30pm Eastern: Initial reports indicate that the University has been unable to confirm the veracity of the data. Identity Finder hopes, for the sake of the students and the university, that the breached information is somehow not real. However, in our judgment the quantity, scope, depth, and quality of data makes it nearly impossible that the data was fabricated.
Update: 8:30pm Eastern: In order to confirm the veracity of the data, Identity Finder called several phone numbers in the database. In each case, voice mails correctly identified the person named in the database. Two individuals confirmed that they are SJSU students who recently applied for a job at the Associated Students, through the career center website. Each confirmed their phone numbers, graduation dates, and majors exactly as stated in the database.
Regardless of whether the 9-digit numbers are SSNs or Student IDs, the risk of identity theft is low. A much more realistic risk associated with this breach is that 22,130 individuals associated with SJSU could become victims of phishing scams. We caution those affected to avoid clicking on links asking you to update your username and password, or enter sensitive information on websites, even if the websites look legitimate. Before entering sensitive personal information, always type the website name in the browser to make sure you are at the right place.
Even if the hack does not require SJSU to issue a written notification to students pursuant to California law, we join the University in their concern for any exposure of student identifying information that could result in phishing or other security risks.
Identity Finder's data discovery and protection software provides companies the ability to prevent data leakage and find sensitive information. They have quickly grown to become a leader in identity protection and Data Loss Prevention (DLP) by helping millions of consumers, small businesses, and enterprises across the world. You may download the free version of Identity Finder DLP Software here: http://identityfinder.com/free