Cyber Incident Victim: University of Cambridge

On or around June 23, 2016, unauthorized actors breached the Cambridge Schools Classics Project (cambridgescp.com), a University of Cambridge educational website. The attackers exfiltrated email addresses and passwords belonging to approximately 1,500 students and employees registered on the platform. Notably, all compromised credentials were stored in cleartext rather than encrypted formats, eliminating fundamental security protections. The stolen data was subsequently released publicly on online platforms, though the specific distribution channels remained unspecified. A University spokesperson confirmed the breach to media on June 23, acknowledging unauthorized access to user registration data. The confirmation occurred shortly after the breach became publicly visible through the data release. University representatives did not disclose the intrusion method or timeline of initial compromise detection.

The incident exposed individuals to credential-stuffing attacks due to the cleartext password exposure combined with common password reuse behaviors. The University initiated direct notifications to affected users concurrent with its public confirmation of the breach. No evidence indicated secondary compromises of University core systems beyond the Classics Project website. The response did not include public disclosure of forensic findings regarding attacker techniques or infrastructure. Mitigation efforts focused on credential resets for impacted accounts rather than system-wide authentication overhauls. The breach underscored operational security deficiencies through cleartext password storage at an institutional subsidiary.