Threat Watch

Hacker Falsely Claims to Have Breached Australian Department of Education

DataBox: Early on the morning of September 2nd, a user calling themselves DataBox posted to RaidForums that they had stolen the data of over one million students, teachers, and staff from the Australian Department of Education. The Australian Computer Emergency Response Team (AusCERT) denied the claims. Other users on RaidForums quickly pointed out that not only was the data actually from k7maths, an e-learning solutions provider, but that the data had also been posted by another user back in March. AusCERT specified that, based on their investigation into the issue, the data was the same as what was leaked in March and that the data likely came from an exposed Elasticsearch instance. The exposed data included first names, emails, password hashes, and K7Maths settings. AusCERT correctly observed that the hashes “can be cracked with enough effort.” Following other users calling out DataBox for misrepresenting the source of the data, DataBox updated the post to show that it came from K7Maths.

ANALYST NOTES

This not the first time that a user on a hacking forum has misrepresented the data that they are posting, nor is it unheard of for a user to post old data claiming they stole it themselves. Considering how recent the data was and the massive number of accounts included, it is surprising that DataBox thought that they could get away with it without others calling out the real origins of the data. ZDNet, who wrote on this incident stated in their article that the post had been deleted following the response from other forum users. This, however, is inaccurate. Following the response from other users, DataBox updated the post to represent it correctly as having come from K7maths, and updated the thread title. More information on this topic can be found at: https://www.zdnet.com/article/auscert-says-alleged-doe-hack-came-from-a-third-party/