A cunning spear phishing attack late last week allowed hackers to gain access to the University of Otago's staff email server and use it to send out an estimated 1.55 million spam emails in 60 hours.
According to news reports from Otago about the breach, four members of the university's staff responded to emails that claimed to be from the IT department and asked people to reconfirm their user names and passwords or their email access would be withdrawn.
Armed with these login details, hackers could compromise an email server within "a couple of hours", according to university IT manager Mike Harte, using it to connect to computers outside the university and send out spam.
The huge volume of spam mail resulted in the university's legitimate emails being rejected or delayed by other systems, Harte said. They were re-sent once the spam attack was over.
The four staff members who revealed their passwords were not disciplined, Harte said. The staffers had been warned in April not to fall for the hoax emails, after similar emails turned up at some New Zealand universities.
Tim Wilson, Site Editor, Dark Reading