Menu
Browse

Cyber Incident Victim: University of California, Los Angeles

Date:

Aug 2015

Location:

United States of America

Summary

A hacker known as JM511 breached the University of California, Los Angeles through SQL injection and cross-site scripting vulnerabilities after issuing multiple warnings via email and social media. The attacker accessed and publicly disclosed databases containing user IDs, usernames, hashed passwords with some plaintext exceptions, email addresses, and full names. Technical details of the compromised systems, including Apache, PHP, and MySQL versions, were exposed alongside database credentials. JM511 also claimed unauthorized access to several other universities' systems, though only UCLA's data was confirmed dumped, while indicating potential future data releases from another institution with previously documented security deficiencies.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actor Type Location
1 actor Available to members Available to members

Description

On August 23, 2015, a hacker operating under the alias JM511 publicly disclosed a cyberattack against the University of California, Los Angeles (UCLA) via Twitter. The attacker claimed to have issued two prior warnings to the university, including an email alert sent more than one week before the breach. JM511 subsequently posted a data dump containing compromised UCLA information, which included sample records from university databases. The exposed data encompassed user IDs, usernames, encrypted passwords, and in one table, plain-text passwords. Additional compromised records contained university email addresses alongside first and last names of affected individuals. Technical details accompanying the breach indicated that JM511 exploited vulnerabilities in UCLA's web applications, specifically targeting systems running Apache 2.2.2, PHP 5.2.5, and MySQL 5.0.12 database software. Forensic evidence from the attacker's posts revealed that the intrusion occurred through SQL injection and cross-site scripting (XSS) attacks, with compromised database credentials showing access to the 'celf' database under the 'celf@localhost' user account.

Cyber Incident Image

The UCLA breach formed part of a broader campaign targeting multiple U.S. educational institutions. JM511 simultaneously notified Western Governor’s University, University of Minnesota, DePaul University, and Northern Illinois University about successful intrusions via similar vulnerability exploits, though no personal data dumps from these institutions were confirmed at the time. The attacker tweeted specific URLs demonstrating vulnerable entry points at each university. JM511 additionally hinted at impending data disclosures from Southern Illinois University, referencing prior security concerns identified in a 2014 audit of that institution. While the full scope of data exfiltration at UCLA remained unverified in available reports, the exposure of authentication credentials and personally identifiable information created significant compromise risks. Public evidence suggested delayed institutional responses, with the article noting uncertainty regarding whether university social media teams recognized the threat notifications and escalated them to IT security personnel promptly.

Sources
Sources available to members
1 source