Last year in June, the Harare Institute of Technology (HIT) was hacked and the individual behind the hack demanded US$999 (then later $6.4 billion) in order to return the files. This hacker also claimed to have secured some – in fact ALL- HIT databases and now there appears to be a new database that contains students information. Or is it a database from that last leak that has seen the light of day somehow? We are not entirely sure to be honest.
What now?
The leaked database contains the sensitive information of over 3 500 students and the details leaked include:
- Registration Number (Regnum)
- Passwords
- Firstname
- Surname
HIT students, you may want to change your password
The leaked database has already been viewed by over a 100 people – a rising number- and the page where it’s linked will expire in 27 days (which we won’t link to for obvious reasons). If you’re a HIT student it’s advisable to change the password on your Student Account. I say this because even though I’m not sure what is in the student accounts, I’m assuming there’s some important and personal stuff in there.
We are not sure if this data is from the last incident…
I personally know one of the students on the database but they enrolled before June’s hack so this seems like data from that hack. After the 2017 hack, HIT’s Head of Public RelationsΒ Mr MutemaΒ had this to say:
I can confirm that we were attacked yesterday at around 4:30AM. Social media is however blowing the whole matter out of proportion. The attackers hacked into our website. They had temporary control of the servers hosting our website and emails. We pulled our systems from the internet until we managed to sort out the matter today (yesterday).
If this data we’re seeing now is from that leak, Mr Mutema may have slightly twisted the truth about this incident since this seems like a bigger deal than he cared to admit at the time. I guess the truth always finds a way out after all…
We reached out to HIT to confirm if this database was accessed after last year’s hack or if this is an entirely new leak. The support assistant we contacted could not put us through to who we were trying to get a comment, so we will add HIT’s response once they have responded.
106 comments
An institute of technology that can’t implement basic web security practices. Get some of your comp science students regularly do penetration testing for crying out loud! makutibhowa manje.
Yeah well. It was going to happen sooner or later. Glad it wasnt by ny hand π
@davie.. Theyre comp science student dont know shit. my friend has half of the entire squad as clients for projects. besides comp science doesnt have much a security scope
there are Information Security students also
the thing at HIT is that students do some of these projects and the institute I feel it does not want to implement from the students .There is Comp Science ,Software Engineering ,IT,Information Security all both capable of doing so
Having students doing something does not mean its good enough to fly on an institutional level HIT is. perhaps talk of lecturers teaching InfoSec because they probably know a bit more but obviously not enough
@Davie it’s an ICT thing at HIT even the lecturers in Cyber security are not allowed to interfere with such breaches. They let the ICT department handle it, worse off us students. Can i have the link to the data to check my details πππ
Tsisti your schools security sucks and you know it,your lecturers suck together with your ICT as well as the students too
You can contact the techzim Facebook page and give us your name and surname and we’ll check because once the link is in circulation that doesn’t really help the stuation.
Fake News
I’m calling it a bluff too, this is probably techzim out of publishing content
Hahaha…Checking your other comments, i thought you were also saying they were hacked fo sho…which side you on? lol
Im there stuck inbetween “holy shit they were hacked again” and the “meh.. its a bluff”
Me am stuck at, “holy shit, they got hacked again” and “holy shit them hackers from last year finally posted the stuff”
And also “holy shit TechZim hacked HIT”……You know in all my 6 years as a hacker,2 of them being black hat, ive never heard a hacker not at least trying to take credit for their work.
haha, true true
Mr Militant Saungweme, I would advise you to change your password as this name is actually on the database as well. If you need convncing you can text me on facebook:https://www.facebook.com/fmudzingwa1 and I’ll tell you your password…
Damnnnn!!!!!!!!!!!!!!!!!!!!!!!!
And Why is TechZim in possesion of this information. is withholding this information compliant with the new GDPR policy?
As far as im concerned you @TechZim are our actual worry
Who gives a crap
Someone sent us a tip with the link, but if we were to share this link with our readers how many people would be compromised Lorde Destro? Much more than the ones who already have been compromised, which is why I keep insisting to you and other HIT students who think this is fake news to just text our Techzim facebook page and we can tell you your password. Is that not a fair enough resolution?
How about just mail the list to the HIT ICT department, and let them handle it whichever way they want to. Its their stuff anyway
Well technically, It’s not HIT’s stuff but actually the students stuff…
Which was on HIT’s Webservers, dont you think if someone comes into your house and steals your tenants stuff its your issue to fix?
So your money at the bank is the banks money?
You don’t know what you are toking about. It is indeed HIT’s Stuff. Who manages that infrastructure , where is that data sitting. It is indeed HIT’s responsibility to have it secure.
Ok JanJan, it’s HIT’s stuff.
@JanJan no offense but its your stuff. Just like you have info on Facebook and Twitter or any social platform, you own that info. Its yours.
hahahah if your money in the bank is compromised, who will you look to answer for your loss?
@ItsJustMe but the congress didnt look to us to answer to the privacy issues facebook had, because its facebooks shit… Besides, Fadzai here wants to bask in the glory of having access to your information as it stands. But im sure he is going to regret it soon. I know pretty motivated hackers who might be on his case as we speak.
We are just notifying students so they can stay safe, whatever HIT decides to do is their own choice.
@Lorde Destro They didnt because Facebook is supposed to keep your data safe. Its like the bank example given above, its your money but the banking is keeping it for you..If the bank is robbed, you will complain coz its your money yabiwa..chero tichiza hedu kuti ma bank haana mari lol ..but u get the idea
We can say your intentions were pure but not quite the execution. If you had taken this to HIT you couldve done much more than the three people you had change their passwords as opposed to so called thousands
I would just tell people to change their passwords. This thing of telling people to DM u and tell their password is not necessary. If one doesnt believe you, let him/her be…I just changed mine … Hope noone saw my results lol
True, that’s a bit overboard. Best course of action is to just change your password (or not change it if you do believe you’re safe).
@ItsJustMe My point exactly, and its more believable and carries a bit of urgency when your schools ICT department tells you that than a Blog…..No Offense at TechZim
None taken, we are just helping the students who have been compromised, which is our job.
Youre not HIT or ministry of ICT and cybersecutiy or worse a consultant.
kkk ko can i just have the database…since its now a pubic record?
HIT was not hacked. where are you getting all this?
How do you know nhaiwe
If you are a student at HIT please text Techzim Facebook Page and we’ll check if you’re on the list and we’ll inform you what your password is, but I do advised you to change your password if indeed you’re a student…
“weβll check if youβre on the list and weβll inform you what your password is”……….Wait a minute………..Wait a minute………….You telling us the passwords are in plain text? Like is that it??
Yes the passwords, registration numbers and the names they belong to are indeed in plain text.
Thats just wrong, bad programming and security …
It’s quite unfortunate hey…
Then again,theyre the masters of zim tech π They should go to MSU and take notes, maybe a 30 day workshop.
No matter how grand your programming skills are, there is always a better programmer or reverse engineering tools!!
HIT is full shit cant even implement basic security to protect its students details…
the history say so
HIT is pretty SHIT YES
First thing is first, I’m calling it a bluff coz ive used all the search algorithms i know on most prominent SEs and nothing came up about the database.
Second of all as a hacker ,if i have something to publish so that the general public can see, i would do put it where the public can see not a secure link or hidden link,i would make sure its highly indexed by all search eangines (SEs).
Now thirdly if its an attack then its probably from last year because the incident from last year kind of just blew away like a passing breeze and i was sure that there was going to be more to it.
Lastly HIT has proven that theyre not the epitome of technology in the country seen by being hacked the first time and hyperthetically thes second time coz i still call it a bluff. theyre too busy parading false superiority instead of making sure that their security is air tight. everyone at HIT is a shame from the admin all the way to the students
As it is now, MSU is probably the epitome of Tech in the country and they have the Director with a very forward vision, So HIT, go and ask for help than constantly shame us….
That is your position and I have to respect that. Judging from the comments you don’t learn at HIT. However, if you do know anyone who learns at HIT please ensure they change their password.
But why are you in possession of the information? Honestly from a security consultant’s point of view, you yourself are in breach of the basic data protection policy and quite frankly you have no policy agreement with the owners information that you hold. My advise is look the other side and pretend like you just passed through the link(if it exists) because the sole absents of this link is not reassuring on whether it exists or you are the actual perpetrator, so i think you should rather stop telling people that their names are amongst this list coz youre not making the so called situation better not for you or for the victims or for the institution. They probably have ways to handle their misfortunes, so let them.
We are not in position of the data, it’s on the internet. Our job is not to look the other side unfortunately but to report these things when they happen. If we look the other side, how then do people who have their information compromised fix the situation? How do they update their passwords and prevent access from outsiders?
Thats access control on HIT’s Part, they can do all sorts of things, they can randomly run a hash algorithm on 3500 seperate words, replace their passwords column rendering all previous passwords obsolete and then run a cronjob to sent every student a new randomly alphanumeric password and then they can start to change their passwords at times of their convinience but then the whole system would be safe…..
I will bet 5 Bitcoins they cant do that stuff you just said ..lol
I can do it for them and the cryptocash is mine ?? π
@Lorde Destro hell nooo… π
you are not in position of the data?? LOL !!! possession is better !!!
Lol my bad, my bad!
But pa Hit hatisviki 3500 hedu
As I have replied to others, if you’re a student at HIT you can send a DM of your name and surname to Techzim’s Facebook Page and we’ll tell you your password.
With respect why are you so keen to prove yourself, If HIT was allegedly hacked as you said in the article they have noted and l suspect they will be taking their measures to safeguard their systems. There is no need for HIT students to DM you on a social media platform so that you tell them their passwords let the institution handle their matter. As a reporter your job is to report and you have reported that is the story ends there.
Furthermore, given you already have access to their portal password what assurance do they have that you do not wish to dox them, just filling in the last pieces of your puzzle. I say so because if a student DMs you that means you now know their facebook handler and you can just scroll the timeline to learn more about that student and thereof gathering more vital information because facebook is a bit personal.
On the other hand Farai how are you authenticating these students before you give them the passwords, because take for example l can DM you now and tell you a registration number of any student l have targeted and you will give me the password because you want to prove yourself by so doing are you not making the situation more worse.
On a legal perspective do you have the right to provide these passwords or did the institution sign a policy with you to provide the passwords if not, i’m afraid that you might be breaching the basic data protection policy.
Yeah, and I did acknowledge in an earlier comment that asking people to DM me was out of line.
TechZim Hacked HIT period. Why should one trust you. Are you conniving with the hackers. HIT should sue you. This paper should become history.
HIT poses itself as the institution with technology superior to all other institutions. HIT should learn from its mistakes and upgrade all their infrastructure.
At this rate I doubt if HIT students will be taken seriously in the industry (especially their Information Security and Assurance students) after they graduate.
I dont even employ HIT students π for anything
and we dont want to work for you either
Noted with a smile π
try me!
If i was still in my black hat days i would have went straight for your mail exchange servers because now we know that in there is an anonymous tip with the link to the information that i could possibly use. But as a white hat hacker im going to tell you to delete the email immediately because if you yourself get hacked and more damage is done because the information got out and obtained through you then it’ll definitely be a different ball game.
Thanks for the advice
Not saying I know who did it…..
But Golix security engineer might know something. The guy knows too much.
There are few good hackers in Zim, but he is always my first suspect for local hacks.
you havent met anyone then:)
hahahahahaha..wakanyanya mface
Guys we are all nissing one point here that can utterly prove that this blog is lying. Who did Fadzai get this statement below from at HIT??
“I can confirm that we were attacked yesterday at around 4:30AM. Social media is however blowing the whole matter out of proportion. The attackers hacked into our website. They had temporary control of the servers hosting our website and emails. We pulled our systems from the internet until we managed to sort out the matter today (yesterday).”
http://www.chronicle.co.zw/universities-hit-by-cyber-attacks/
The Chronicle is lying too?
but that article is from last year and you took that statement from it meaning this your post is either fake or a year late.. which one is it Fadzai? TechZim credibility might be going up in smoke..
Yes there was a hack last year but at the time the database was not online which is why we are questioning if this is a new incident or if the same database has been uploaded now…
Now youre talking….. But that comment threw us away pakuti last night at 4am apo
ko link yacho
To prevent the circulation of a link containing students sensitive information we chose not to publish the link. If you are a student update your password.
and have you alerted HIT before posting your article?
Good Chat….see you on the next fake post
Information security students are on demand just pay them
What is the worst a person could do with a registration number, name and password? Just curious.
Not much but some people use the same password for everything, so if by chance that compromised password is the same as say facebook a hacker could then steal your identity and post nasty stuff on your behalf or leak some of your private activities
Understandably so, but you would need their email address or FB/Twitter handle? A password alone doesn’t help, let’s say my password is &chinemaneji234 and my name is Tendai Mafura, what’s the next step to hack my email? My email could be tmafura, tenma, tendai or even mafura@gmail.com. The permutations increase once we consider addresses like mafura2010@gmail.com. For all you know the email address isn’t even derived from the name nor is it hosted on Gmail. Sounds like too much noise for a low threat hack.
Techzim motuwana kupi tunyaya twenyu tusina order utwu. Get a life!
Mr Anonymous, if you’re a student at HIT please change your password so that no one accesses your information illegally…
I am begining to think that techzim itself ndiyo ya Hackwa, coz zvikutaurwa na @Farai Mudzingwa hazvina musoro.
At least we can start by investigating techzim and farai mudzwingwa for allegedly hacking HIT. Muchatiudza kuti tip yenyu maiwana kupi?
You can go ahead and investigate but if you are a student at HIT please start by changing your password before you begin your investigations
I would like to confirm the hack.
We have taken the student portal offline. The damage this hack has both on the image of the institute and that of the students is of terrific magnitude. We will not stop our investigations until we find the people behind this hack.
At the mean time I advise all of to to change your passwords.
how could u not expect this to happen imi kana chirungu chacho chikutokunetsai, invest more on security you are a technology university
Imi what’s the issue, wether the matter is fake or not TechZim brings a point to the table just change your credentials.
And Mr Lorde Destro… please grow up stop feeding yourself lies saying you are a hacker and go get yourself a hobby or better yet enda unotsvaga mari
Asante sana.
Hey people.. Being hacked doesn’t sto HIT from being the best tech institution… Our lectures are not the designers of our database neither is our students… If ttz wah u do at ur institutions I’m sry ttz not wah we do so being hack is not a true indication tt we not the best but just indicates tt currently our database are not tt secured coz if I say they have no security I will be lying ciz nomatter hw much u secure ur dB there is always a btr programmer than you and when he feels like hacking he will… So watz not best tech are those or its tt person who designed the database… About the issue of coping from. MSU tt wont happen… Im sry to say this Google is admiring our students every year and graduates are being employed to America and on top of tt empressing.
Is this English?
Taimbokuudzai kuti haisi university
Ko madii manorara muku bhadharwa here no one cares its Hit ‘s problems not ours …. at the end of the day tese tichafa and hapana anopinda denga neku hacker …… keep talking if u want but that wont stop Hit from succeeding … tese tichafa tichirwadziwa nekubudirira kwavo and vazhinji are commenting cz its hit dai tirisu MSU taingonzi vanoenda nepi basa nderekuita entertainment nezvisizvo
I suspect the students!!!
A very informative blog on HIT Hacked Again? More Than 3 500 Student Account Credentials Leaked.If you are looking for School ERP Software then i would suggest Entab CampusCare since,they are the leader in school ERP by providing best School Management Software.
With over 1200+ Clients and 18 years of experience they have developed an impeccable reputation of being the leader in the industry when it comes to school management software.
For more info visit : http://www.entab.in
hi there! Itβs great site. so many topics and opinions. I used to read, basically washingtonpost but now your site one of my favorites. Thank you!
Thanks a lot, we will do our best to stay as one of your favourites…