Hackers, possibly trying to embed links to improve search engine result rankings, may have viewed the sensitive information of 1,400 prospective applicants to Duke University on the institution's law school website, school officials said today.
Webmasters for the Durham, N.C.-based law school were notified of the intrusion last week when they detected unauthorized links on the website, spokeswoman Melinda Vaughn told SCMagazineUS.com today. Officials removed the unauthorized code and shut down the site last Thursday. It remains offline today.
An investigation revealed that the hackers burrowed their way in through a vulnerability in third-party blog software used on the site, she said, declining to name the provider.
This access permitted the intruders to view two databases, one containing the Social Security numbers of 1,400 individuals who had requested information about Duke Law School, she said.
The other database contained the contact information and passwords for 1,800 current applicants, Vaughn said. School officials worry that the students may use these same passwords in other, more sensitive places, such as banking websites.
"We can't determine definitively whether they acquired or downloaded any of this data, but we know they had the opportunity to do it and could have done it," she said.
The school has received one report of unauthorized credit card activity on a student's account, but it is unclear whether the incident is related to the breach, Vaughn said. Police are investigating the hacking.
It is becoming increasingly common for hackers to place links on websites to bolster search engine results for websites selling Viagra or Xanax, Jeremiah Grossman, WhiteHat Security chief technology officer, told SCMagazineUS.com today.
He said attackers use a scanner to search the web for vulnerable sites. Blog software is particularly open to attack because many organizations do not keep it fully patched.
"The thing is, most web software out there, whether it's third-party or custom built, is going to have flaws," Grossman said. "It's different than when you have Microsoft auto update or Apple auto update. These things have to be done manually."
In the case of a hack performed to improve search engine results for a particular website, intruders likely are not out to steal personal information, he said.
"They probably didn't even know the website they hacked or bothered to lift the data," Grossman said.