Exposed

Poor Cyber Security: Mount Kenya University’s Website Hacked And Data Of Students Leaked Online

A new report suggests that data of various Mount Kenya University students – both past and present – is being shared online in hacker forums. The data consists of names, general addresses, and phone numbers.

Touseef Gul, a Pakistani Penetration Tester, says the data includes records of 211,373 students both current and past from their admission lists to student and administrative information. Touseef Gul breakthrough on the cybersecurity space dates back to 2017, after discovering a vulnerability that could allow bypassing of GoDaddy’s site security tool.

This issue dates back to three years ago, according to Gul, who first discovered the vulnerability in Mount Kenya University’s website and database as well as those of three other Nigerian based Universities – Nnamdi Azikiwe University, (UNIZIK); Ahmadu Bello University, Zaria, and Salem University.

The loopholes were pretty easy to find on these websites, says Gul.

“With ABU, Zaria, for example, all I needed to do was type in portal.abu.edu.ng on my browser along with a few other characters, and I discovered the bugs,” he said in response to Nigerian technology blog TechPoint.Africa.

Gul says he reported the bugs to the universities a long time ago but only a few responded. Mount Kenya University did not bother. Same to ABU, Zaria.

Three years later, Gul recently performed another test to see whether the bugs were fixed. Unfortunately, Mount Kenya University and ABU’s website still haven’t patched the flaws – to date.

Nigerian based Ahmadu Bello University stored data to 256,370 of its students online including their login details — usernames and passwords – in plain text.

For Mount Kenya University, 211,373 students are affected. Hackers have already shared some of the data in various online hacker forums, according to Gul.

A shared CSV file in one hacker forum mid-May contains 1,525,787 lines of names, addresses, and phone numbers — all Kenyan. That means hackers might have scrapped other data from elsewhere and not just in Mount Kenya’s University’s database. Here’s what I mean; (*phone numbers and names are hidden for privacy).

hacker forum screenshot
Sample data provided publicly in one hacker forum

This leaves the various affected students susceptible to online attacks.

It’s quite disturbing that a database can be left unattended to for all this time after being notified but teaching a Masters’s degree in Information Technology as well as Information Security (Cyber Crime).

Mount Kenya ironically, is one of the universities who’re continuing with e-learning despite having a porous cyberspace. They’re yet to respond to the reports.


There's no story that cannot be told. We cover the stories that others don't want to be told, we bring you all the news you need. If you have tips, exposes or any story you need to be told bluntly and all queries write to us [email protected] also find us on Telegram

Related posts

Exposed: Chris Obure Ordered The Killing Of Kevin Omwenga

nairobi-exposed

Eyebrows Raised At KURA’s Director Eric Oginga Fights With Bribery To Keep His Job As Murkomen Checks In

nairobi-exposed

Beware: Common Money Scams And How To Avoid Them

nairobi-exposed

State Is Investigating Oil Tycoon Daniel Wamahiu Over Links To A Multimillion Scam

nairobi-exposed

The Boon And Bane Of Mediheal Group Of Hospitals

nairobi-exposed

Exposed: How The Kimwarer And Arror Contractor Used Different Identities To Cover Tracks

nairobi-exposed

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More