By: Sruli Fruchter  | 

Hackers Steal YU Students’ and Employees’ Personal Information in Accellion Security Breach

Hackers recently stole Yeshiva University students’ and employees’ personal information — including Social Security numbers and financial information — in a data security breach of Accellion, Inc., a third-party vendor used by the university to securely transfer files. The university’s Information Technology Services (ITS) emailed students on Thursday, April 1 that they are investigating the “data security incident.”

Several institutions, including Stanford University and the University of Maryland, were also affected by the Accellion breach. The Stanford Daily reported that hackers leaked Social Security numbers, emails and financial information of Stanford community members. Hackers threatened to release some universities’ data unless they paid a ransom of $10 million in bitcoin.

The Commentator has confirmed that the personal information of three YU students was posted online and is publicly visible, including banking information, home addresses and two Social Security numbers. As of publication, the students were not personally contacted by the university aside from the general email sent to students.

According to its website, Accellion is a “private cloud solutions company focused on secure file sharing and collaboration.” Vulnerability in the California-based company’s file-sharing application allowed an unauthorized party to steal “certain university files, some of which may have contained personal information,” ITS’ email said. The university has since taken the platform offline. The email added that “this incident is limited to the Accellion application and there has not been any unauthorized access to Yeshiva’s computer systems.”

The email warned that the unauthorized party has contacted members of the YU community and that recipients should not “respond, open any attachments, or click any links.” It also urged that such contact should be forwarded to infosec@yu.edu

The Commentator obtained an email received by students from the hackers with the subject line, “Your personal data has been stolen and will be published.” The return address was different for each email received by students. Some alumni, whose personal information was compromised from the breach, told The Commentator that they have not received any communication from YU on the matter.

“If you received this letter, you are a customer, student, partner or employee of Yeshiva University,” the email began. It went on to say that “the company has been hacked” and its stolen data will be released. “We inform you that information about you will be published on the darknet” — followed by a link — “if the company does not contact us.” It concluded, “Call or write to this store and ask to protect your privacy!!!!” 

Baruch Lerman (YC ‘23) told The Commentator that, on the morning of Tuesday, March 30, he received over 3,500 emails from the hacking parties in his spam folder. “There were several that claimed they were from the ‘Yeshiva Online Security’ from some random email address,” he said. “A bunch [were] from ‘CLOP RANSOMWARE TEAM’ and a bunch that said I went to Stanford University. I've been getting more since then though the amount has definitely thinned a bunch.”

He added, “It is kind of scary that I got these to my YU email address while ITS is doing maintenance work on the internal YU systems though.” On March 26, ITS emailed students that it is conducting “scheduled maintenance” for Self-Service Banner, a portal for students’ course registrations.

Dr. Van Kelly, a Computer Science professor at YU, said that “The most alarming claims in the news seem to be, at least partly, on statements from the hackers themselves; these would not be expected to be entirely truthful.” 

Kelly added that concerned students should follow ITS’ guidance in forwarding all communications from hackers to infoesec@yu.edu, and if students have concerns about identity theft, they should visit the Federal Trade Commission’s website, which lists steps to securing “finances against hackers.”

“Ensuring the security of university-related information is one of our highest priorities and the University is approaching the matter with the utmost seriousness,” ITS said in concluding their email. “We appreciate your patience as we take the necessary steps to resolve this incident. We will provide further updates as they become available.”

Editor’s Note: This article was updated on Friday, April 2 to include a confirmation that specifics students’ personal information were posted online and that some alumni have not received any communication about the matter from the university.

This is a developing story.

Photo Caption: Accellion, a third-party service used by YU, was breached by hackers. 
Photo Credit: Yeshiva University