Kenyon College in Ohio left more than 24,000 students at risk from a leaking database that exposed their personal information including passwords.
A dataset, containing full student names, university addresses, and hashed passwords was left accessible to the public, the Cybernews team found.
The 4,7GB-strong database, hosted on Google Cloud in India, also included student groups, their descriptions, and member lists, as well as job offers. According to our researchers, 24,500 students’ data was exposed.
Leaked passwords were hashed using bcrypt, which is difficult but not impossible to crack.
All the leaked emails were hosted on the university domain, meaning the leak could possibly be used to compromise the college’s mail servers and gain access to other systems that students use.
However, given that people tend to reuse their passwords, the dataset could be combined with other leaks and used for credential stuffing attacks.
The Cybernews team also found that the database was hosted on a server and potentially exposed to 38 vulnerabilities for Apache HTTPD and OpenSSH, dating as far back as 2013.
"The number of vulnerabilities that could potentially affect this server could arguably do more damage, as they could allow a threat actor to gain access to the university's network, and move laterally to critical infrastructure devices, or gain access to other servers that might hold even more sensitive information such as payment information or social security numbers," Cybernews researcher Aras Nazarovas said.
The database is closed now, the Cybernews team confirmed. We’ve repeatedly reached out to Kenyon college for a comment, but haven't yet heard back from them.
On Friday, Kenyon contacted us, saying they shared the following message with students and employees at Kenyon:
"Kenyon is looking into a report of a data incident. We do not believe there are any security issues at this time. We are continuing to assess the matter with a third-party vendor. Please direct any questions to [email protected] or [email protected]"
Criminals eyeing high education
Recently, the FBI issued a warning that threat actors continue to target US colleges and universities, selling the harvested credentials on cybercriminal forums. Attackers might exploit stolen credentials for subsequent cyberattacks, well aware that users typically recycle their usernames and passwords across multiple accounts.
“If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or resell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit [it] for other criminal activity against the account holder, or use [it in] subsequent attacks against affiliated organizations,” the FBI said.
Since January, Russian cybercriminal forums have been flooded with credentials and virtual private network access to a multitude of US universities and colleges. According to the FBI, the credentials’ price varied from a few to multiple thousands of US dollars.
This May, Lincoln College, which survived the economic crisis of 1887, a major campus fire in 1912, the Spanish flu of 1918, the Great Depression, World War II, and the 2008 global financial crisis, was forced to close down because of a cyberattack.
The education sector is among the most targeted by ransomware cartels, a recent report by Sophos showed. One reason why ransomware gangs target universities is that education institutions are often poorly protected against cyber threats.
Higher education institutions might not sit on a pile of money. However, they are wealthy in knowledge, often work with classified military documents, research diseases and cures, and therefore are a top-level target for hackers hired by nation-states.
More from Cybernews:
Subscribe to our newsletter