A threat actor operating under the alias "Ev0rax"has released what appears to be a partial database dump from Lagos State University (LASU), one of Nigeria's premier educational institutions. The breach, posted on prominent dark web forums, contains administrative and student information exported in CSV format.
Scope of the Breach
According to the forum posting, the compromised data includes:
Administrative Systems:
- University administrative credentials with password hashes (SHA1 encryption)
- Complete academic staff database containing personal information
- Extended user profiles and permission system configurations
Student Records:
- Comprehensive student database including matriculation numbers and academic histories
- Admission system data for prospective students
- Event participation and certification records
Financial Data:
- Payment and transaction records
- Tuition fee information and financial transactions
System Access
- Admin authentication system components
- User management and access control configurations
Data Categories Compromised
The threat actor outlined several affected database categories:
- SECURITY: Admin authentication systems
- ACADEMIC: Faculty and staff employment records
- STUDENTS: Undergraduate and graduate student databases
- FINANCIAL: Tuition payments and financial transactions
- ADMISSIONS: Application and enrolment data
- EVENTS: Workshop and seminar participant tracking
- SYSTEM: User management infrastructure
Implications for Affected Individuals
The exposure of password hashes, even with SHA1 encryption, poses significant risks as this algorithm is considered cryptographically weak by modern standards. Students, faculty, and staff may face:
- Identity theft risks
- Unauthorized access to university systems
- Targeted phishing campaigns
- Financial fraud attempts
- Privacy violations
Recommendations
- Immediately change passwords for all university-related accounts
- Enable two-factor authentication where available
- Monitor financial accounts for suspicious activity
- Be vigilant against phishing attempts
.png)
.png)