Close Menu
Honi Soit
    Facebook X (Twitter) Instagram
    Trending
    • Strawmanning in the chat at the July SRC Council
    • Folk Reimagined, East In Symphony at the Sydney Opera House
    • Graeme Turner’s ‘Broken’ assesses our ailing university sector
    • MAPW addresses USyd’s retreat from “obligation to promote peace” in open letter
    • 2025–26 State Budget Unpacked
    • Antisemitism review puts universities, festivals, and cultural centres under threat
    • Macquarie University axes Sociology, cuts more jobs & courses
    • UTS elects new Chancellor
    • About
    • Print Edition
    • Student Journalism Conference 2025
    • Writing Comp
    • Advertise
    • Locations
    • Contact
    Facebook Instagram X (Twitter) TikTok
    Honi SoitHoni Soit
    Wednesday, July 16
    • News
    • Analysis
    • Culture
    • Opinion
    • University
    • Features
    • Perspective
    • Investigation
    • Reviews
    • Comedy
    • Student Journalism Conference 2025
    Honi Soit
    Home»News

    16-year-old claims to be behind USyd data breach

    By Tom JoynerFebruary 13, 2015 News 5 Mins Read
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Honi can reveal that the hacker apparently responsible for the breach of one of Sydney University’s IT systems on February 2 has claimed to be a 16-year-old boy from Queensland. He has said that he has no intention to “abuse” the data he accessed, and instead only wanted to “mess” with the system.

    The attack, which has implications for the integrity of USyd’s security infrastructure, compromised the personal details of approximately 5,000 students and did not come to the University’s attention until February 6.

    The hacker, who goes by the online alias Abdilo, told Honi that the attack had yielded email addresses and ‘pass combo lists’, though he has no intention of using the information for malicious ends.

    “99% of my targets are just shit i decide to mess with because of southpark or other tv shows,” he wrote.

    As for Sydney’s breach on February 2, Abdilo claimed that he had very little trouble in accessing the information, rating the university’s database security with a “0” out of 10.

    “I was taunting them for awhile, they finally figured it out,” he said.

    https://twitter.com/abdilo_/status/566013736922537984

    In a statement provided to Honi by the University of Sydney, a spokesperson confirmed a review of the matter was taking place in the wake of the hack.

    “We are implementing an immediate review of all of our applications to check to see if similar vulnerabilities are in place, and will rectify any that are found,” the statement read.

    Abdilo used a method of hacking known as SQL injection, in which security vulnerabilities are exploited by a line of malicious code ‘injected’ into the targeted system to breach a database.

    IT security expert Troy Hunt, who works with web security training service Pluralsight, said that he knows of Abdilo and has been monitoring his online movements with interest since he first appeared late last year.

    “[Abdilo] obviously has some intelligence,” he said. “He’s approachable enough to talk to, but clearly he hasn’t quite realised the ramifications of what he’s doing.”

    Hunt said that SQL injections are a top concern in web application security, and that he is mildly impressed by what Abdilo has shown himself to be capable of so far.

    “He’s effective insofar that SQL injections are effective,” he said. “You don’t need to understand the mechanics of how it works, you just need to copy and paste the code.”

    “He’s basically saying, ‘Look I’m out to get caught and this is who I am’.”

    “This is going to be fun,” he wrote on Twitter on February 2, the same day that Sydney University’s system was breached and before the attack had been made public.

    On the same day, Abdilo claimed on twitter to have access to the databases of a total 32 tertiary institutions worldwide.

    These included Monash University, University of Queensland, University of Sydney, and University of Western Australia in Australia alone. US institutions that Abdilo claimed to have access to included Harvard, Yale, Princeton, and Columbia University. He further suggested he had accessed 9,468,248 database entries from his ‘zero day’ SQL injection attack.

    Honi has been unable to as yet verify these claims.

    https://twitter.com/abdilo_/status/562161916215164928

    Hunt said that it’s quite possible that Abdilo is behind the attacks but is exaggerating their true extent.

    “He’s significantly overstating what he’s done,” he said. “The other option is that he’s not a 16-year-old and that fact is misdirection, and he’s actually quite good at what he does.”

    In a message sent to the compromised universities, Abdilo wrote:

    “As for me, fuck your edus i have owned them all, im done with your idiotic “security”, in a year or so i will come back and audit them all, except i will go and drop your damn tables and format your drives, i suggest fixing your sites before then.(I cannot stop other people from going and raeping your sites, only you can)”

    This was followed by a list of security features that would need improvement.

    https://twitter.com/abdilo_/status/566020523474173953

    On Twitter, he claimed to have been reported to the Australian Federal Police (AFP) “50 times”. When asked if he was concerned, he responded that the AFP “has better things to do then raid someone who is embarrassing unis”.

    Hunt was surprised that he hasn’t been arrested yet, despite ongoing illegal activity.

    “What I found really odd about this is that he’s still running wild,” he said. “He’s pervasive enough to get into these systems but I would doubt that he is able to avoid detection.”

    “He seems resigned to the fact that [his arrest] is going to happen.”

    The AFP could not be reached for comment.

    This is not the first time that Abdilo has perpetrated such an attack. In January, the ABC reported that he was behind what could be the biggest attack on Australian private data in the country’s history, when he broke into the customer database of a major insurance provider.

    In the same month, he broadcast a live-stream of his attack on US university databases.

     

    Below is a partial list of university databases Abdilo claims to have hacked, sourced from his PasteBin account:

    Yale University

    Harvard University

    University of Arizona

    University of Queensland

    Columbia University

    Georgia Institute of Technology

    University of Chicago

    University of Miami

    Rutgers University

    Princeton University

    University of Sydney

    Universitat Pompeu Fabra

    Virginia Commonwealth University

    Williams College

    Monash University

    Stanford University

    Universitat Jaume I

    Humboldt University of Berlin

    University of Exeter

    McMaster University

    University of British Columbia

    University of Waikato

    University of Western Australia

    Ohio State University

    University of Gothenburg

    Leibniz-Institut für Wissensmedien

    Purdue University

    Lancaster University

    University of Erlangen-Nuremberg

    Libera Università Internazionale degli Studi Sociali Guido Carli

    University of Milano-Bicocca

    University of Montpellier

    University of Warsaw

    Carl Von Ossietzky Universitat

    University of Mannheim

     

    Clarification: An earlier version of this article stated that Abdilo claimed to have accessed passwords when in fact he had accessed pass combo lists.

    campus news data Data privacy hacking homepage featured it privacy security Sydney university University of Sydney usyd

    Keep Reading

    Strawmanning in the chat at the July SRC Council

    MAPW addresses USyd’s retreat from “obligation to promote peace” in open letter

    Antisemitism review puts universities, festivals, and cultural centres under threat

    Macquarie University axes Sociology, cuts more jobs & courses

    UTS elects new Chancellor

    Jason Clare seeks replacement for ANU Chancellor Julie Bishop after $790,000 expense report

    Just In

    Strawmanning in the chat at the July SRC Council

    July 14, 2025

    Folk Reimagined, East In Symphony at the Sydney Opera House

    July 14, 2025

    Graeme Turner’s ‘Broken’ assesses our ailing university sector

    July 13, 2025

    MAPW addresses USyd’s retreat from “obligation to promote peace” in open letter

    July 13, 2025
    Editor's Picks

    Part One: The Tale of the Corporate University

    May 28, 2025

    “Thank you Conspiracy!” says Capitalism, as it survives another day

    May 21, 2025

    A meditation on God and the impossible pursuit of answers

    May 14, 2025

    We Will Be Remembered As More Than Administrative Errors

    May 7, 2025
    Facebook Instagram X (Twitter) TikTok

    From the mines

    • News
    • Analysis
    • Higher Education
    • Culture
    • Features
    • Investigation
    • Comedy
    • Editorials
    • Letters
    • Misc

     

    • Opinion
    • Perspective
    • Profiles
    • Reviews
    • Science
    • Social
    • Sport
    • SRC Reports
    • Tech

    Admin

    • About
    • Editors
    • Send an Anonymous Tip
    • Write/Produce/Create For Us
    • Print Edition
    • Locations
    • Archive
    • Advertise in Honi Soit
    • Contact Us

    We acknowledge the traditional custodians of this land, the Gadigal people of the Eora Nation. The University of Sydney – where we write, publish and distribute Honi Soit – is on the sovereign land of these people. As students and journalists, we recognise our complicity in the ongoing colonisation of Indigenous land. In recognition of our privilege, we vow to not only include, but to prioritise and centre the experiences of Indigenous people, and to be reflective when we fail to be a counterpoint to the racism that plagues the mainstream media.

    © 2025 Honi Soit
    • Privacy Policy
    • Terms
    • Accessibility

    Type above and press Enter to search. Press Esc to cancel.