Yale Gets Dorked: 43,000 SSNs Available via Simple Google Search

Dear Yale students,

Remember that time when you first matriculated? And Yale was all like, “Hey guys, no big deal, but we’re going to need all of your personal information. Yeah, that Social Security number? Fork it over. Don’t worry, though. We’re world-class academics. We know not to do anything stupid with it, like make it available on Google, or whatever.”

Yeah, well, turns out Yale was wrong.

The university announced on Friday that around 43,000 Social Security numbers — belonging to current and former students, faculty, staff and alumni – were released into the Google ether at some juncture in the past, apparently by force of sheer incompetence innocent mistake. The issue was first noticed this June, and servers with at-risk files were immediately disconnected from the interwebz.

The leak was supposedly plugged with minimal damage, though no one is really sure whether or not the data was accessed. Yale, in the mean time, is offering complimentary credit monitoring and identity theft insurance to all those affected. Which is surely a huuuuuge relief to everyone involved. 

The good news though, if there is any, is that unless you were affiliated with the university in 1999, you’re basically in the clear. According to the YDN:

The information was stored on a file transfer protocol (FTP) server used primarily for open source materials. [Information Technology Services Director Len] Peters said the file containing the names and Social Security numbers, mostly of people who worked for the University in 1999, was the only sensitive file to be made public. The file did not include addresses, birth dates or financial information.

It’s unclear if this means all that sensitive info was just hanging out in “open source material” for the past 12 years, or what. In any case, it doesn’t seem to have been an issue until Google changed its search parameters last September to start indexing FTPs. After that, though, it was open season.

Yale insists that it’s unlikely any of the files were intercepted by web tricksters. (They had “very inconspicuous file names,” for whatever it’s worth.) But others aren’t so sure. A blog post at USA Today suggests that Yale could have been the victim of “Google dorking,” which is apparently an actual hacker thing, and not just what your high school’s comp-sci club used to do after fencing practice and before “Firefly“:

Also known as Google dorking, Google hacking refers to cybercriminals’ enterprising use of Google’s advanced search functions to find caches of valuable data ripe for the taking.[...]It hasn’t taken much inventiveness for the criminally-minded to figure out how to use Google dorks to search for common system files that contain sensitive data with tangible value in the cyber-underground.

Still, in this complicated, computer-mediated age we live in, you almost have to give credit to an institution of higher learning for only compromising all your sensitive, identifying information once. (Almost.) So, why not give Yale a break? It’s not as if anything like this has ever happened before, you know?