Cyber Incident Victim: DePaul University
Date:
Aug 2015
Location:
United States of America
Summary
A hacker compromised DePaul University through SQL injection and cross-site scripting vulnerabilities, publicly notifying the institution via social media alongside other universities. The attacker exposed vulnerable URLs but did not release confirmed exfiltrated data from this specific institution, though samples from another compromised university included credentials and personal information. The intrusion demonstrated weaknesses in web application security without confirmed unauthorized data access beyond system infiltration at this victim.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2015, a hacker using the alias JM511 conducted a series of cyberattacks targeting multiple American universities, including DePaul University. The attacker publicly disclosed these breaches through Twitter on August 23, 2015, notifying DePaul University alongside Western Governor’s University, the University of Minnesota, and Northern Illinois University. JM511 employed SQL injection and cross-site scripting (XSS) vulnerabilities to compromise the institutions' systems, as evidenced by tweeted links demonstrating the specific vulnerable URLs exploited. The hacker followed a pattern of issuing warnings prior to attacks, having previously emailed UCLA more than one week before breaching their systems and dumping data. While JM511 did not release specific details about data exfiltrated from DePaul University during this incident, the attacker's methodology involved extracting database contents from compromised systems, as demonstrated in the UCLA breach where user credentials, email addresses, and personal information were exposed.
The attacks exposed vulnerabilities in the universities' web applications, with JM511's UCLA breach revealing technical details about the compromised environment including Apache 2.2.2, PHP 5.2.5, and MySQL 5.0.12 database configurations. Although no personal data dump was confirmed for DePaul University in the immediate aftermath, the public disclosure of vulnerable URLs indicated successful intrusion vectors. The incident highlighted risks associated with unpatched systems and insufficient security controls against common web application attacks. JM511's broader campaign demonstrated systematic targeting of higher education institutions, with the hacker suggesting impending data dumps from other universities like Southern Illinois University. The universities' responses were not detailed in available reports, leaving containment actions and impact assessments unspecified for DePaul University specifically, while UCLA faced confirmed exposure of sensitive credentials including some plain-text passwords.