Cyber Incident Victim: Kentucky State University
Date:
Sep 2019
Location:
United States of America
Summary
A university experienced a cybersecurity breach compromising over 3,000 student email accounts through credential harvesting attacks. The institution's IT department confirmed unauthorized access resulted from multiple credential harvesting incidents targeting user login credentials, leading to the exposure of sensitive email data. No evidence suggested broader system infiltration beyond the affected accounts. Officials notified impacted individuals while emphasizing the importance of robust password practices to mitigate such threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Kentucky State University experienced a cybersecurity incident involving unauthorized access to student email accounts in September 2019. The breach was publicly disclosed by the university on September 19, following two separate credential harvesting attacks targeting student login credentials. The first attack occurred between September 12-13, with a second wave following on September 22-23. According to Robert Eckman from the university's IT department, attackers successfully compromised credentials through these harvesting campaigns, ultimately gaining access to more than 3,000 student email accounts. The incident timeline indicates attackers operated during two distinct periods, suggesting either multiple intrusion attempts or evolving tactics. While the exact method of credential harvesting wasn't detailed, such attacks typically involve phishing emails or fake login pages designed to steal authentication information. The university's investigation confirmed the breach scope remained limited to email account access without specifying whether other systems or data types were affected.
The compromised email accounts exposed students to potential privacy violations and misuse of their institutional communications. Though the university didn't disclose evidence of data misuse, unauthorized access to email accounts could have enabled attackers to view sensitive academic records, personal correspondence, or reset passwords for other services. Kentucky State's IT department led the incident response, identifying affected accounts and notifying all 3,000 impacted students. No information was provided regarding whether password resets, multi-factor authentication implementation, or monitoring services were offered to victims. The public disclosure occurred approximately one week after the initial attack, with the university choosing to combine notification about both incidents in their September 19 announcement. Credential harvesting was identified as the root cause, highlighting vulnerabilities in user authentication practices rather than systemic technical failures in university infrastructure.