14 DAY TRIAL // The Information Technology Division of Stony Brook University (SBU) is investigating a data leak after a file containing student names associated with university IDs was leaked online.
SBU is a public university located in Stony Brook, Long Island with a secondary campus in Manhattan. As of fall 2010 it has 24,594 students.
According to the Stony Brook Independent, a file containing 61,000 names, NetIDs and SBU IDs was leaked on a discussion board for SBU students called SBUChat.
The data was apparently taken from the SOLAR system, the university's online service center for students, faculty and staff.
A 21-year-old Information Systems Engineer undergraduate student, who preferred to remain anonymous, took credit for the leak and said that he used a vulnerability to extract the data.
The flaw allegedly allowed hackers to change the passwords of SOLAR NetID accounts without knowing the original ones.
The student said that he reported the flaw to Richard W. Reeder, chief information officer for the university's Division of Information Technology (DoIT), under a fake name.
Mr. Reeder confirmed that he received two separate reports about the bug and noted that it was fixed in six hours. However, the student was apparently not satisfied with the fact that DoIT kept quiet about it.
"There’s no reason not to tell the campus how dangerous it was," the anonymous student said, stressing that he chose to leak names and IDs in order to raise awareness without causing much damage.
Reeder does not agree. "It's very, very irresponsible to leave that file up there," he commented. "It's not exactly the keys to the kingdom, but it’s just not a good idea, and somebody should use some discretion," he added.
There are fears the SBU IDs could be used to create fake univeristy IDs and potentially allow students to take exams for each other.