Weeks before the start of UC Berkeley’s fall semester, a post appeared on a popular dark web hacking forum advertising access to a “university database.” The stolen information, the hacker said, involved “all kinds of data,” including campus, student and staff names, password hashes, usernames and payments made by the school.

In messages to The Daily Californian, the hacker claimed to have sold the database — for $800 — to a buyer on the dark web.

The database in question was stolen from a breach in the website server backend of the Rausser College of Natural Resources, or CNR, including the UC Berkeley Energy & Resources Group, or ERG.

According to email statements from campus spokesperson Janet Gilmore, UC Berkeley IT officials learned of the breach when the post was made on the web forum July 31. Alongside forensic analysis professionals and an outside specialist, campus launched an investigation into the hack, according to Gilmore in an email. She added that the attack involved “persistent external attacks that had occurred on the (Rausser) web server over several months.”

The hack resulted in the CNR website going offline for 13 days while the ERG site stayed dark for 17, according to Gilmore. She said campus is “confident” that attackers no longer have access to affected services, and both websites are now online and hosted by campus’s Open Berkeley platform.

The hacker, who agreed to be referred to by their screen name “ByteToBreach,” shared a sample of the stolen data with the Daily Cal. The data included names of campus students, faculty and staff as well as phone numbers, home addresses, email accounts and some password information.

According to Gilmore, the only password information compromised involved accounts held by website administrators and content contributors. Furthermore, she claimed all such accounts were disabled when the websites went offline.

“We are currently working with an outside specialist to determine the full scope of data exposed in this incident,” Gilmore said. “At this point, we have not identified unauthorized access to any information that would likely lead to identity theft or other significant personal harm, but our investigation remains underway.”

ByteToBreach said the server security was “below average,” and they initially attempted to use the access to extort UC Berkeley into paying a ransom. However, ByteToBreach said officials did not respond to the extortion attempt, and Gilmore claimed campus has “no record of being contacted by the threat actor” and “first learned of the incident when the data was offered for sale on the dark web.”

As for the sale of the database for $800, Gilmore said the campus investigation was not able to “verify” the transaction claim.

According to ByteToBreach, universities are not a top target for attacks. Hackers such as ByteToBreach make their living by infiltrating large, mostly service-oriented organizations with sensitive information they can sell to buyers.

“(Buyers) don’t care (about universities) cause there is much better targets, Banks, Fintechs, Airlines, Gov institutions, E-Commerce, Real Estate, Healthcare, Insurance Companies, (and) Telecom’s,” ByteToBreach wrote. “I recently hacked into a central Asian airline and stole a lot of passports.”

While ByteToBreach said they worked alone on the UC Berkeley attack, they claimed not to remember the exact details of the operation because it occurred months ago, and they have a “very small brain.” However, BytetoBreach added that the access point was likely a vulnerability with the server’s phpMyAdmin system, a tool generally used for website and server controls.

Following federal laws such as the Family Educational Rights and Privacy Act, which require schools and universities to notify students in the event of an unauthorized disclosure of their personal information, Gilmore said campus “will follow all legal requirements regarding individual notification.”

“Very few companies respond positively to extortion attempts, even in face of dangerous and risky brand damages,” ByteToBreach wrote. “All hacked companies / institutions minimize as much as possible the impacts of security incidents.”