By Steve Ragan, Senior Staff Writer, CSO |

About |

Fundamental security insight to help you minimize risk and protect your organization

SNHU still investigating database leak exposing over 140,000 records

Class records exposed by third-party vendor, university says

Southern New Hampshire University (SNHU) says they're still investigating how a database containing some student and class information was exposed to the public. The database was discovered by researcher Chris Vickery shortly before Christmas.

Vickery turned to Salted Hash for assistance in resolving the matter, as previous attempts to contact the university were stalled due to a lack of contact options.

A former SNHU student contacted by Salted Hash was able to connect us to the university's Information Security Officer on December 15, 2015. After our email containing IP and DNS information was sent, the contact reacted swiftly to secure the exposed database.

When questioned about the function of the database, SNHU wouldn't comment.

The exposed SNHU database contains more than 140,000 records including student names, email addresses, and IDs; as well as other class-related details such as course name, course section, assignment details and assignment score. The database also contains instructor names and email addresses.

Considering the information contained within the leaked database, it looks as if it's related to the university's online offerings or something students can use to track class progress. On their website, SNHU says that enrollment totals more than 70,000 students. So, either the exposed database has duplicated records, or both current and former students were impacted by the incident.

After being contacted a second time by Salted Hash, the school confirmed an investigation was ongoing and the student IDs exposed in the incident were not based on Social Security Numbers.

SNHU says the database was exposed by a third-party vendor (configuration errors), but they wouldn't name the vendor in question.

"We are awaiting a copy of the database from the vendor, so we cannot comment on the precise nature of its contents. The vendor did tell us that no Social Security information, birth dates, credit card information or SNHU passwords were present in the database," the university said in a statement to Salted Hash.

On December 23, SNHU said they'll "assess next steps, including any possible communications to students," once their investigation concludes.

As of January 4, that investigation remains open. This story will be updated as new information becomes available.

Steve Ragan is senior staff writer at CSO. Prior to joining the journalism world in 2005, Steve spent 15 years as a freelance IT contractor focused on infrastructure management and security.

7 hot cybersecurity trends (and 2 going cold)