Redeemer’s University Data Breach Exposes 1,323 Emails and Hashed Passwords

The Redeemer’s University data breach is the latest in a growing wave of attacks targeting educational institutions in Africa. A hacker has leaked a database containing 1,323 user records from Redeemer’s University’s Open Educational Resource (OER) portal (oer.run-edu.ng). The data, which includes university email addresses and hashed passwords, has been posted publicly on a dark web forum, allowing instant access to threat actors and credential-stuffing bots. Though small in volume, the leak poses serious risks to staff and students due to the common practice of password reuse across banking, email, and social media accounts.

Background

Redeemer’s University (RUN), a major private institution in Nigeria, operates several online services including its OER platform, which provides academic resources for students and faculty. The leak originated from this secondary portal rather than the main university network, suggesting that attackers exploited an outdated or unpatched content management system. Dark web intelligence analysts observed that the leaked dataset was distributed freely, signaling that it was not motivated by ransom but by public exposure. Free leaks like this typically lead to rapid replication across multiple forums and Telegram groups.

• Victim: Redeemer’s University (Nigeria)
• Compromised portal: oer.run-edu.ng (Open Educational Resource portal)
• Records leaked: 1,323 users (staff and students)
• Data fields: University email addresses and hashed passwords
• Distribution: Free public dump on hacker forum
• Main risk: Credential stuffing, phishing, and potential lateral movement into other systems

Breach Details

The database includes university-issued email addresses in combination with their hashed passwords. While hashing provides some protection, most weak or reused passwords can be quickly cracked using automated tools like Hashcat. Once cracked, attackers use the email-password pairs to attempt logins across major Nigerian financial institutions, email services, and social media platforms. Because many users reuse credentials across multiple sites, even a single compromised password can lead to widespread account theft and fraud.

Researchers have identified that the leak originated from an outdated or poorly maintained learning management or content system. The domain oer.run-edu.ng appears to have been operating with minimal updates, making it vulnerable to classic web application exploits such as SQL injection. In cases like this, attackers gain access through the vulnerable subdomain, extract the database, and then post it online for notoriety or resale. The Redeemer’s University data breach illustrates how neglected web portals become an easy gateway into otherwise secure networks.

Key Cybersecurity Insights

Credential Stuffing Goldmine

The exposed dataset represents a ready-made target list for credential stuffing. Attackers can take the cracked passwords and use them to test logins on popular platforms such as GTBank, Kuda, Binance, Gmail, and Facebook. University email addresses are especially valuable because they tend to be persistent, verified, and tied to real identities. Once attackers find a match, they can immediately steal funds or sensitive information. For affected users, the risk is not theoretical, it is active and ongoing.

Phishing and Social Engineering Threats

The Redeemer’s University data breach also enables precise phishing. Attackers can impersonate IT staff or university administration, referencing the real breach to add credibility. For example:

“Hello [Student Name], this is the RUN IT Department. Due to a recent security issue on the OER portal, you must verify your new password at [phishing link] to restore access.”

This tactic exploits real panic to capture credentials or distribute malware. Because these emails reference the real leak, victims are highly likely to trust and act on them. This type of “breach-aware” phishing is now one of the most common follow-up attacks after educational data leaks.

Unpatched Portals as Entry Points

The compromised OER portal highlights a recurring weakness across academic institutions: forgotten or lightly maintained subdomains. While main websites and administrative systems are often secured, auxiliary portals such as OERs, Moodle instances, or WordPress blogs may go unmonitored. These systems typically handle lower-value data, but once breached, they expose valid credentials that can be used for internal pivoting. The Redeemer’s University data breach may therefore serve as a wake-up call for institutions across Nigeria to audit their digital infrastructure for forgotten endpoints.

Regulatory and Legal Impact

Under Nigeria’s Data Protection Act (NDPA, 2023), Redeemer’s University is obligated to report any confirmed data breach to the Nigeria Data Protection Commission (NDPC) within 72 hours. Because the incident involves personally identifiable information tied to institutional accounts, failure to report could result in significant fines and compliance enforcement. The NDPC has emphasized that educational institutions must maintain secure systems and ensure continuous vulnerability management. In addition, the university must formally notify affected users of the breach and outline clear mitigation steps.

Mitigation Strategies

For Redeemer’s University

• Force password resets: Immediately reset passwords for all users of the OER portal and all other connected services. Require new passwords that meet strong security standards.
• Enable multi-factor authentication (MFA): Require MFA for all student and staff accounts to prevent unauthorized logins, even if passwords are compromised.
• Take the OER portal offline: Shut down the oer.run-edu.ng domain until it has undergone a complete forensic investigation and rebuild.
• Report to NDPC: Submit a formal breach notification to the Nigeria Data Protection Commission within the legal timeframe.
• Public communication: Release an official statement confirming the incident and warning against phishing campaigns impersonating the university.

For Affected Users

• Change reused passwords immediately: If you used your RUN or OER password on any other account (especially for email, banking, or social media) change it now.
• Be alert for phishing: Do not click on links in messages claiming to be from the university or IT department. Always verify requests through official university channels.
• Use unique passwords: Create unique passwords for each service. Consider using a password manager to track them safely.
• Run malware scans: If you interacted with suspicious links or attachments, perform a full device scan using Malwarebytes to ensure your system is clean.
• Enable MFA everywhere: Add multi-factor authentication on all online accounts to block unauthorized access attempts.

For Universities and Educational Institutions

• Audit all web assets: Identify and secure all subdomains and portals that handle user authentication or personal data.
• Patch legacy systems: Apply updates to Moodle, WordPress, and similar CMS platforms to close known vulnerabilities.
• Implement logging and monitoring: Use centralized logging and intrusion detection to identify abnormal access patterns early.
• Backup and encrypt data: Store sensitive data in encrypted form and maintain verified backups offline.

Sector-Wide Lessons

The Redeemer’s University data breach demonstrates the scale of damage that can result from small, overlooked systems. Educational institutions must recognize that every login portal represents an attack surface. A breach affecting just 1,300 users can quickly cascade into a national-level threat when those same users have financial or social accounts tied to their university credentials. Strengthening security around academic networks is essential not only for compliance but also for protecting the broader ecosystem of students and faculty who rely on shared digital identities.

For ongoing updates on confirmed data breaches and coverage of cybersecurity incidents across universities and private sectors, visit Botcrawl for real-time threat analysis and expert reporting.