Cyber Incident Victim: The Chronicle of Higher Education
Date:
May 2020
Location:
United States of America
Summary
A threat actor known as Shiny Hunters breached and offered for sale a database containing approximately three million user records from a higher education news organization, alongside data from HomeChef and ChatBooks, totaling 26 million compromised accounts. The attackers priced the organization's data at $1,500, though specifics regarding the compromised information types were not disclosed, unlike the companion breaches which included hashed credentials and personally identifiable details. Researchers assessed the incidents as legitimate, noting the actor's pattern of selling stolen datasets on dark web forums without immediate buyers, suggesting potential redistribution at lower prices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 3, 2020, hackers operating under the name Shiny Hunters advertised a database containing approximately three million user records from Chronicle.com, a news source for higher education operated by The Chronicle of Higher Education, Inc., for sale on a dark web forum. The group priced the Chronicle.com data at $1,500, making it the least expensive among three databases they simultaneously offered, which also included records from HomeChef and ChatBooks. Unlike the other two breaches, the advertisement for Chronicle.com did not specify the types of information compromised beyond confirming it contained user records. Researchers from digital risk protection firm ZeroFox identified the sale listings and assessed with high confidence that the breaches were legitimate. The Chronicle.com database had not been purchased at the time of ZeroFox’s analysis, and no samples of the stolen data were publicly disclosed by the hackers to verify its contents.
Shiny Hunters, which had previously claimed responsibility for breaches at Tokopedia and Unacademy, employed a consistent methodology of breaching organizations, exfiltrating data, and monetizing it through dark web marketplaces. The group indicated plans to sell additional databases from other victims in the near future. ZeroFox analysts noted the lack of buyers for the Chronicle.com, HomeChef, and ChatBooks databases increased the likelihood the data would be relisted on other forums at reduced prices. The incident exposed Chronicle.com users to potential credential-stuffing attacks, phishing campaigns, or identity theft, though the absence of confirmed data fields limited precise risk assessment. The broader pattern of Shiny Hunters’ activities suggested continued targeting of organizations with insufficient cybersecurity measures to prevent unauthorized database access. No public statements from The Chronicle of Higher Education, Inc., regarding the incident or mitigation efforts were referenced in available reporting.