News //

16-year-old claims to be behind USyd data breach

Tom Joyner (@tomrjoyner) investigates USyd’s would-be child hacker.

Child hacker Child hacker

Honi can reveal that the hacker apparently responsible for the breach of one of Sydney University’s IT systems on February 2 has claimed to be a 16-year-old boy from Queensland. He has said that he has no intention to “abuse” the data he accessed, and instead only wanted to “mess” with the system.

The attack, which has implications for the integrity of USyd’s security infrastructure, compromised the personal details of approximately 5,000 students and did not come to the University’s attention until February 6.

The hacker, who goes by the online alias Abdilo, told Honi that the attack had yielded email addresses and ‘pass combo lists’, though he has no intention of using the information for malicious ends.

“99% of my targets are just shit i decide to mess with because of southpark or other tv shows,” he wrote.

As for Sydney’s breach on February 2, Abdilo claimed that he had very little trouble in accessing the information, rating the university’s database security with a “0” out of 10.

“I was taunting them for awhile, they finally figured it out,” he said.

In a statement provided to Honi by the University of Sydney, a spokesperson confirmed a review of the matter was taking place in the wake of the hack.

“We are implementing an immediate review of all of our applications to check to see if similar vulnerabilities are in place, and will rectify any that are found,” the statement read.

Abdilo used a method of hacking known as SQL injection, in which security vulnerabilities are exploited by a line of malicious code ‘injected’ into the targeted system to breach a database.

IT security expert Troy Hunt, who works with web security training service Pluralsight, said that he knows of Abdilo and has been monitoring his online movements with interest since he first appeared late last year.

“[Abdilo] obviously has some intelligence,” he said. “He’s approachable enough to talk to, but clearly he hasn’t quite realised the ramifications of what he’s doing.”

Hunt said that SQL injections are a top concern in web application security, and that he is mildly impressed by what Abdilo has shown himself to be capable of so far.

“He’s effective insofar that SQL injections are effective,” he said. “You don’t need to understand the mechanics of how it works, you just need to copy and paste the code.”

“He’s basically saying, ‘Look I’m out to get caught and this is who I am’.”

“This is going to be fun,” he wrote on Twitter on February 2, the same day that Sydney University’s system was breached and before the attack had been made public.

On the same day, Abdilo claimed on twitter to have access to the databases of a total 32 tertiary institutions worldwide.

These included Monash University, University of Queensland, University of Sydney, and University of Western Australia in Australia alone. US institutions that Abdilo claimed to have access to included Harvard, Yale, Princeton, and Columbia University. He further suggested he had accessed 9,468,248 database entries from his ‘zero day’ SQL injection attack.

Honi has been unable to as yet verify these claims.

Hunt said that it’s quite possible that Abdilo is behind the attacks but is exaggerating their true extent.

“He’s significantly overstating what he’s done,” he said. “The other option is that he’s not a 16-year-old and that fact is misdirection, and he’s actually quite good at what he does.”

In a message sent to the compromised universities, Abdilo wrote:

“As for me, fuck your edus i have owned them all, im done with your idiotic “security”, in a year or so i will come back and audit them all, except i will go and drop your damn tables and format your drives, i suggest fixing your sites before then.(I cannot stop other people from going and raeping your sites, only you can)”

This was followed by a list of security features that would need improvement.

On Twitter, he claimed to have been reported to the Australian Federal Police (AFP) “50 times”. When asked if he was concerned, he responded that the AFP “has better things to do then raid someone who is embarrassing unis”.

Hunt was surprised that he hasn’t been arrested yet, despite ongoing illegal activity.

“What I found really odd about this is that he’s still running wild,” he said. “He’s pervasive enough to get into these systems but I would doubt that he is able to avoid detection.”

“He seems resigned to the fact that [his arrest] is going to happen.”

The AFP could not be reached for comment.

This is not the first time that Abdilo has perpetrated such an attack. In January, the ABC reported that he was behind what could be the biggest attack on Australian private data in the country’s history, when he broke into the customer database of a major insurance provider.

In the same month, he broadcast a live-stream of his attack on US university databases.


Below is a partial list of university databases Abdilo claims to have hacked, sourced from his PasteBin account:

Yale University

Harvard University

University of Arizona

University of Queensland

Columbia University

Georgia Institute of Technology

University of Chicago

University of Miami

Rutgers University

Princeton University

University of Sydney

Universitat Pompeu Fabra

Virginia Commonwealth University

Williams College

Monash University

Stanford University

Universitat Jaume I

Humboldt University of Berlin

University of Exeter

McMaster University

University of British Columbia

University of Waikato

University of Western Australia

Ohio State University

University of Gothenburg

Leibniz-Institut für Wissensmedien

Purdue University

Lancaster University

University of Erlangen-Nuremberg

Libera Università Internazionale degli Studi Sociali Guido Carli

University of Milano-Bicocca

University of Montpellier

University of Warsaw

Carl Von Ossietzky Universitat

University of Mannheim


Clarification: An earlier version of this article stated that Abdilo claimed to have accessed passwords when in fact he had accessed pass combo lists.