Cyber Incident Victim: Stadt Solingen
Date:
Dec 2023
Location:
Germany
Summary
A cybersecurity incident involving the City of Solingen resulted in unauthorized access to Microsoft Office 365 school accounts used by students and teachers across 25 local schools. The compromise, detected through unusual login patterns, led to 413 accounts being blocked, with 29 exhibiting high-frequency access from foreign countries indicating credential theft. Exposed information included users' first and last names along with their school email addresses, formatted predictably (e.g., [email protected]), while no identity documents or birthdates were confirmed stolen. Attackers likely leveraged stolen credentials to send spam emails and access the account directory. The municipality disabled compromised accounts, notified affected individuals and authorities, and established a support hotline, attributing the breach partly to weak password practices among users.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involving the City of Solingen’s school Microsoft Office 365 accounts was detected on December 27, 2023, when an IT service provider employee identified anomalous login activity during a routine review. Immediate analysis revealed 413 accounts flagged by Microsoft as "compromised" due to deviations from normal authentication patterns, including multiple failed login attempts. Among these, 29 accounts exhibited high-frequency access attempts originating from geographically distant locations such as South Korea, China, and Russia, leading investigators to conclude with high confidence that password theft had occurred. The City of Solingen, which administers these accounts for 25 local schools, promptly disabled all 413 compromised accounts to prevent further unauthorized access. These accounts were primarily used by students and teachers for accessing or distributing educational materials during remote learning, with explicit policies against using them for email correspondence or personal data storage.
Technical assessments confirmed that stolen credentials likely exposed users’ first initials, surnames, and school-issued email addresses formatted as [initial].[surname]@[schoolname]-solingen.de. Attackers leveraged the compromised accounts to send spam emails and access the internal user directory containing other educational account email addresses. No evidence indicated theft of identity-related data like birthdates, as such information was neither required for account functionality nor stored by default. Metadata analysis suggested minimal use of email storage or OneDrive features, reducing the likelihood of additional data exposure. However, the city acknowledged that users who voluntarily stored Teams chats, documents, or personal information in violation of usage policies might have had such data compromised. The incident affected a subset of the city’s 22,000 Microsoft educational licenses, with no observed impact on other municipal IT systems. Solingen authorities filed a police report against unknown perpetrators, notified North Rhine-Westphalia’s data protection authority, and directly informed all 413 affected account holders—primarily students and parents—by year-end 2023, while establishing a dedicated hotline for inquiries. The city attributed the breach partly to weak password practices observed among students, emphasizing the vulnerability of simplistic credentials to specialized attackers.