ITConnections

The higher education sector remains a consistent target for data breaches, often due to a combination of legacy systems, decentralized security practices, and a wealth of valuable research data. We recently examined a breach impacting the Indian Institute of Astrophysics (IIA) dating back to August 2018. What struck us wasn't the novelty of the attack, but the persistence of the exposed data in circulation and the continued use of outdated hashing algorithms, even years after the incident.

ITConnections Breach: 46k Records Exposed From Indian Institute of Astrophysics

The breach at ITConnections, a website associated with the Indian Institute of Astrophysics (IIA), resulted in the exposure of 46,372 user records. Discovered circulating on several dark web forums and Telegram channels in recent weeks, the data dump appears to be a direct export from the site's database, containing a mix of email addresses and Drupal-7 hashed passwords. The relatively small size of the breach is overshadowed by the fact that it involves an academic institution and highlights the potential for attackers to leverage older breaches for credential stuffing attacks against other services. The use of Drupal-7 hashing suggests a failure to update security protocols, increasing the risk of password cracking even years after the initial compromise.

Key point: Total records exposed: 46,372

Key point: Types of data included: Email addresses, Password hashes (Drupal-7)

Key point: Source structure: Likely a SQL database export

Key point: Leak location(s): Dark web forums, Telegram channels

Key point: Date leaked: 26-Aug-2018

External Context & Supporting Evidence

While this specific incident hasn't garnered widespread media attention, the broader issue of data breaches in the academic sector is well-documented. Several reports from organizations like EDUCAUSE highlight the ongoing challenges faced by colleges and universities in securing their networks and data. The use of older hashing algorithms like Drupal-7 is a recurring theme in many older breaches, making them prime targets for attackers with readily available cracking tools. The presence of this data on Telegram channels aligns with the broader trend of stolen credentials being actively traded and used for various malicious purposes, including account takeovers and credential stuffing attacks. The description of the breach as a "combolist" suggests it is being actively used in such attacks.

Email · Address · Password · Hash