Cyber Incident Victim: University of Queensland
Date:
Jul 2015
Location:
Australia
Summary
The University of Queensland experienced a data breach involving unauthorized access to login credentials by the "Nightmare Squad," a group affiliated with Anonymous that claimed to target entities in South America. Nine individuals' email addresses and corresponding clear-text passwords were exposed in a public leak, though the origin of the data—whether obtained through hacking or discovered unsecured—remained unclear. The attackers did not disclose their methods, and the university had not acknowledged the incident at the time of reporting despite being notified through multiple channels.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2015, the University of Queensland experienced a data breach involving unauthorized access to login credentials attributed to a hacking group identifying as “Nightmare Squad.” The group publicly exposed a paste containing nine individuals’ university email addresses paired with plaintext passwords, though the origin and method of obtaining these credentials remained unclear. Nightmare Squad, which described itself as an "#Anonymous blackhat team fighting for the people of South America," had previously focused on Brazilian targets, including government websites, making this incident an unexpected deviation from their regional pattern. The group did not disclose how they acquired the data—whether through a direct hack of university systems, exploitation of vulnerabilities, or discovery of exposed information—nor did they clarify whether the passwords were stored in plaintext by the university or decrypted after being obtained in hashed form. DataBreaches.net first identified the breach and attempted to notify the university via email on July 24, 2015, but received no immediate acknowledgment, prompting a follow-up alert through the university’s Twitter account the following day. The exposure posed direct risks to the affected individuals, as the leaked credentials could facilitate unauthorized access to university accounts or other services if reused by the victims.
The university’s public response to the breach was not documented in the available source material, leaving its acknowledgment timeline, internal investigation, and remediation efforts unconfirmed. DataBreaches.net’s outreach attempts highlighted potential delays in incident response coordination, as neither the initial email nor the social media notification elicited a visible reaction during the reporting period. The limited scope of the leak—nine accounts—suggested a targeted or opportunistic compromise rather than a systemic breach of university infrastructure, though the absence of technical details from Nightmare Squad prevented definitive conclusions about attack vectors or broader vulnerabilities. The incident underscored operational challenges in third-party breach notifications when organizational communication channels proved unresponsive. No further details regarding victim notifications, password resets, or forensic analysis were disclosed in the source material, leaving the full institutional and individual impacts unresolved in public reporting.