Cyber Incident Victim: Reading Rockets
Date:
Feb 2014
Location:
United States of America
Summary
A national literacy initiative experienced a significant security breach when hacker group @DeleteSec compromised its website, resulting in the theft and public release of over 5,800 user accounts. The attackers exploited a MySQL injection vulnerability to access multiple databases, leaking credentials across five distinct files hosted on MediaFire. Exposed information included full names, physical addresses, email contacts, plaintext passwords, and other site-specific participant data. The group publicly announced the breach through their Twitter account, confirming the ongoing exploitability of the vulnerability at the time of disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 6, 2014, hacker group @DeleteSec publicly announced a breach of ReadingRockets.org, a national multimedia literacy initiative focused on children's reading education, via their Twitter account. The attackers exfiltrated and subsequently leaked user credentials across five distinct files uploaded to MediaFire: "purchaseinquiry," "FYLparticipants," "data2," "data," and "ccsignsup." These files contained credentials extracted from multiple databases and tables residing on the organization's server infrastructure. Analysis of the leaked data revealed compromised personal information including full names, physical addresses, email addresses, contact details, and plaintext passwords. The breach also exposed internal site-related information, though specific details about this category were not elaborated in the disclosure. Forensic examination of one leaked file identified a vulnerable URL susceptible to MySQL injection (MySQLi) exploitation, suggesting a potential attack vector. @DeleteSec had actively targeted other entities prior to this incident, establishing a pattern of activity preceding the Reading Rockets compromise.
The breach impacted 5,840 user accounts, with credentials distributed across the five leaked files reflecting data from different functional areas of the website. Exposed records included participants in the "FYL" program (likely referring to a site-specific initiative), purchase inquiry records, and credit card sign-up data ("ccsignsup"), indicating broad access to backend systems. The persistence of the MySQLi vulnerability at the time of reporting implied ongoing exposure risk beyond the initial breach. No statements from Reading Rockets regarding incident response, containment measures, or victim notifications were documented in the available source material. The public release of plaintext passwords significantly elevated risks for credential reuse attacks against affected users, while exposed addresses and contact details created potential physical security and harassment concerns. The incident underscored operational vulnerabilities in the storage of sensitive user data and authentication credentials by the educational nonprofit.