Brinztech Alert: Data of Hasanuddin University are Leaked

Dark Web News Analysis

A threat actor on a known cybercrime forum is claiming to have leaked a database that they allege was stolen from Hasanuddin University (UNHAS) in Indonesia. According to the post, the database contains approximately 99,930 records of students, faculty, and staff. The purportedly compromised data is highly sensitive, including usernames, email addresses, and, critically, hashed passwords. The actor notes the use of multiple hashing algorithms, including the notoriously weak and outdated MD5 and legacy crypt methods, as well as bcrypt.

This claim, if true, represents a critical data breach and a significant failure of basic security hygiene. The alleged use of MD5 for hashing passwords is a catastrophic vulnerability, as these hashes can be cracked almost instantly with modern tools, effectively exposing the passwords in plaintext. This would enable criminals to launch massive and highly successful “credential stuffing” campaigns and provides a direct path for a complete takeover of the university’s IT systems, especially if admin-level accounts are included as claimed.

Key Cybersecurity Insights

This alleged data breach presents several critical and immediate threats:

• High Risk of Mass Credential Stuffing Due to Weak Hashes: The most severe risk is the exposure of weakly hashed passwords. MD5 is considered broken and offers no real protection. ¹ This means the leak is effectively a list of plaintext passwords that will be immediately used in large-scale, automated credential stuffing attacks against other online services.   The md5 hashing algorithm is insecure – Datadog Docs docs.datadoghq.com
• Direct Threat of a Full University System Takeover: The alleged exposure of admin-level accounts, combined with the easily crackable passwords, creates an immediate and severe risk of a full takeover of the university’s IT infrastructure. An attacker could access and manipulate student records, financial aid data, research, and other sensitive information.
• A Goldmine for Targeted Academic Phishing: The database provides a rich, curated list of the entire university community. This allows criminals to craft highly convincing and personalized spear-phishing campaigns, where they can impersonate deans, specific professors, or IT support to steal more valuable credentials or deploy malware.

Mitigation Strategies

In response to a claim of this nature, Hasanuddin University and its community must take immediate and decisive action:

• Launch an Immediate, University-Wide Mandatory Password Reset: The highest priority is to invalidate the compromised credentials. The university must assume all passwords are now public knowledge and enforce an immediate, mandatory password reset for every single student, faculty, and staff member across all university systems.
• Urgent Implementation of MFA and Secure Hashing: This is a critical systemic fix. The university must urgently implement and enforce Multi-Factor Authentication (MFA) on all accounts to protect against the use of stolen passwords. Concurrently, their IT department must immediately upgrade their password storage to a modern, secure hashing algorithm like Argon2id.
• Proactive Communication and Awareness Campaign: The university must transparently communicate with its entire community about the breach. Users must be warned about the high risk of targeted phishing and, most importantly, be strongly advised to change their passwords on any other online account where they may have reused their university password.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com