Grey hat hackers proved many times in the past weeks that most websites managed by universities tend to be highly unsecure. Now, members of TeaMp0isoN demonstrated how easily these flaws can be exploited by leaking tons of information from the official sites of UCLA, Wayne State University, and the Hampshire County Council.From the site of UCLA (ucla.edu) the hackers leaked the usernames and passwords of the individuals who had access to the site’s MySQL database. They also published the IDs, usernames, salts, and password hashes from staffers.
Regular site users may also be affected by the breach since names, titles, email addresses, logins and password hashes (MD5 encryption) that belong to them were posted online on Pastebin.
The second target, the site of the Hampshire County Council (hants.gov.uk), didn’t store such a complex database. Nevertheless, TeaMp0isoN stole and made publicly available more than 2,000 usernames and clear-text passwords.
Wayne State University (wayne.edu), the final victim of this story, also had a highly unsecure website, allowing the hackers to gain access to their administrator usernames and passwords.
“That’s it for now folks. We were bit bored and had to do something last night so this came up as perfect oportunity to demonstrate how there is no security at all,” the hackers wrote.
We have contacted two of the TeaMp0isoN hackers who were in charge of these breaches, more precisely Phantom, the one responsible for the exploiting, and F0rsaken, who did all the necessary research.
They didn’t want to disclose what vulnerabilities they leveraged to gain unauthorized access to the sites.
“That will remain a mystery since they got hacked once already and they said they fixed their site, as in the case of UCLA,” they told us.
So we’ve asked them if they had any other reasons for hacking the sites, besides the fact that they were bored.
“Security is an illusion. I have to prove it now and then. As a blackhat I do not believe in security and I need to show everyone that it doesn’t exist,” Phantom said.