Cyber Incident Victim: Macalester College
Date:
Jan 2015
Location:
United States of America
Summary
Macalester College experienced a cybersecurity breach where attackers compromised a subdomain dedicated to Russian history resources. The intrusion, attributed to the Zyklon group, exposed user credentials including names, emails, and plaintext passwords, with over 3,600 entries publicly leaked and references to a larger database of 90,000+ accounts. The compromised site was taken offline to mitigate further risks, and users were potentially affected if they reused passwords across other platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 15, 2015, the hacker group Zyklon, operating under the alias WonkaSec, breached a subdomain hosted by Macalester College dedicated to Soviet history education (soviethistory.macalester.edu). The attackers publicly disclosed 3,634 user records via Pastebin, containing first and last names, usernames, plaintext passwords, email addresses, and administrator status indicators. Zyklon claimed possession of over 90,000 additional accounts and provided a non-functional link to a purported full database dump. The compromised subdomain served as an open educational resource for Russian culture and history studies, requiring user registration for access. Attackers specifically highlighted the value of .edu email addresses in the leak, suggesting they could belong to professors and advising potential misuse through search functionality. Screenshots of the defaced site and stolen data were shared via Zyklon’s Twitter account and a temporary WonkaSec homepage.
Macalester College’s hosting provider immediately took the breached subdomain offline, replacing it with a notification confirming unauthorized access to registered user information including passwords. Administrators acknowledged the site would remain inactive indefinitely while developing a more secure replacement version. The college urged users who reused passwords across multiple sites to change them promptly, regardless of whether their specific information appeared in the initial Pastebin disclosure. Concurrently, Zyklon claimed responsibility for breaches at three additional organizations—BigBlueInteractive’s forums, aquamarineboat.com, and pumpsforless.com—though only Macalester’s and aquamarineboat.com’s data samples were verifiably leaked at the time. DataBreaches.net independently notified affected non-academic entities about their exposures, though Macalester’s public response remained limited to the subdomain takedown notice and password reset advisory. The incident exposed systemic security vulnerabilities, particularly the storage of plaintext passwords and insufficient protection of an externally facing educational platform.