Cyber Incident Victim: Northwestern University
Date:
Apr 2015
Location:
United States of America
Summary
Northwestern University experienced a cybersecurity breach involving unauthorized access to a server through an XSS vulnerability and subsequent SQL injection, disclosed by an attacker known as 'MLT' via public platforms. The compromise exposed administrator credentials but did not involve personal data, as confirmed by the institution, which took affected network segments offline for over a week during remediation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2015, Northwestern University experienced a cybersecurity incident involving unauthorized access to part of its network. The attack first came to light on April 5 when an individual using the alias 'MLT' publicly disclosed a Cross-Site Scripting (XSS) vulnerability affecting the university's 'themayor.itcs.northwestern.edu' subdomain through a post on XSSposed.org, a platform for reporting web vulnerabilities. This disclosure included a URL exposing a compromised login page that displayed administrative credentials—specifically an email address ([email protected]) and password (manager)—suggesting potential unauthorized access to the system. Subsequent attacker activity was documented through social media posts attributed to a user with the handle @Puttied, who claimed to have exploited SQL injection techniques to gain access to Northwestern's databases. According to these public statements, the attacker conducted reconnaissance within the compromised systems but asserted that no personal information was present on the affected servers.
The university responded by taking a segment of its network offline for more than a week to contain the breach and investigate the intrusion. Northwestern University officials confirmed that the compromised server did not contain sensitive personal data, aligning with the attacker's claims regarding the absence of such information. While the full technical scope of the attack was not detailed in public statements, the incident involved exploitation of both XSS and SQL injection vulnerabilities targeting a specific administrative subdomain. The university did not disclose whether additional systems were investigated or whether credentials exposed during the breach required resetting. No evidence emerged suggesting data exfiltration or secondary exploitation resulting from this incident, and the university maintained operations for unaffected systems throughout the containment period. The public disclosure timeline—originating from third-party vulnerability reports and attacker communications rather than institutional announcements—highlighted the role of external platforms in revealing the compromise before official confirmation.