Cyber Incident Victim: Northern Illinois University
Date:
Aug 2015
Location:
United States of America
Summary
A hacker known as JM511 compromised multiple U.S. universities, including Northern Illinois University, through SQL injection and cross-site scripting vulnerabilities, exploiting insecure web applications to access databases. The attacker publicly disclosed vulnerable URLs and warned institutions prior to breaches, with confirmed data exposure at another university involving usernames, emails, and both hashed and plaintext passwords. While no personal data leaks were confirmed for this specific institution, the hacker indicated broader targeting of academic systems with inadequate security controls.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2015, a hacker using the alias "JM511" conducted a series of cyberattacks targeting multiple American universities, including Northern Illinois University (NIU). The attacker exploited SQL injection and cross-site scripting (XSS) vulnerabilities in the universities' web applications, compromising their systems. JM511 publicly disclosed the breaches through Twitter, posting notifications directed at NIU and other institutions such as the University of California at Los Angeles (UCLA), Western Governor’s University, the University of Minnesota, and DePaul University. These tweets included links to vulnerable URLs that JM511 had exploited, demonstrating the attack vectors. While UCLA’s breach involved the exfiltration of data containing user IDs, usernames, passwords (some in plain text), email addresses, and names, no specific data theft from NIU was confirmed in the available records. JM511’s methodology involved reconnaissance of system configurations, including Apache and PHP versions, MySQL database details, and user credentials, as evidenced by technical logs shared during the UCLA breach. The hacker claimed to have warned UCLA via email over a week prior to the attack, though no similar warnings to NIU were explicitly documented.
The incident exposed vulnerabilities in NIU’s web infrastructure, particularly inadequate safeguards against SQL injection and XSS attacks. JM511’s actions highlighted risks to sensitive institutional and personal data, though no evidence suggested NIU’s data was dumped or leaked at the time of reporting. The attacker’s broader pattern included threats to release data from Southern Illinois University, referencing its previously documented security deficiencies. NIU’s specific response measures were not detailed in the source material, leaving containment and remediation efforts unverified. The university’s social media teams were alerted via JM511’s tweets, but it remained unclear whether these notifications triggered immediate IT security interventions. The breach underscored persistent threats to higher education institutions’ cybersecurity postures, with JM511 leveraging publicly accessible vulnerabilities to infiltrate multiple targets simultaneously.