This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Mt Hira College

Summary

A database containing information for approximately 750 students from Victoria's Mt Hira College was circulated on a popular hacking forum on 27 April 2024. The database includes student names, student IDs, classes, email addresses, and passwords in plain text. The data was offered for free on the forum and appears to use very common word and number combinations for passwords.

What Happened

An attacker breached Mt Hira College's systems and exfiltrated a database containing student information. On 27 April 2024, the database was posted to a popular clear web hacking forum and offered for free to other threat actors. The breach exposed data for approximately 750 students from the co-educational K-12 Islamic college in Victoria. Critically, all passwords were stored and leaked in plain text rather than being properly encrypted, and many used very simple, common combinations of words and numbers.

Impact on Individuals

The breach exposed highly sensitive student information including:

  • Full names
  • Student ID numbers
  • Class assignments
  • Email addresses
  • Passwords in plain text

Students and families should immediately:

  • Change passwords for school email accounts and any other accounts using the same password
  • Enable two-factor authentication where available
  • Be extremely alert for phishing emails targeting students or parents
  • Monitor for cyberbullying or harassment using stolen account information
  • Watch for scams targeting families with knowledge of student details

The exposure of plain text passwords is particularly concerning as students often reuse passwords across multiple services, potentially compromising accounts beyond the school system.

Organisational Response

Mt Hira College is a K-12 co-educational Islamic school in Victoria. The data breach was observed and verified by cybersecurity researchers who confirmed the data appeared legitimate. The plain text storage of passwords indicates inadequate security practices for protecting student credentials. The college should implement proper password hashing, mandate password resets for all affected accounts, and provide cybersecurity education to students and families about password security and reuse risks.

Verification Source: View original statement