University of Lagos Student Portal Breached — 50,000 Student Records Leaked on Dark Web

The Incident

A threat actor using the handle "ng_leaker" posted a database dump on a popular dark web forum containing records of over 50,000 University of Lagos students. The data was reportedly extracted from the university's student information portal.

What Was Leaked

The leaked database contains student full names and matric numbers, personal email addresses and phone numbers, home addresses, academic transcripts and CGPA records, course registration details, and in some cases, passport photographs.

How It Happened

Cybersecurity researchers who analyzed the leak suggest the attacker exploited an unpatched SQL injection vulnerability in the student portal's login page, a basic vulnerability that has been well-documented for decades.

University Response

UNILAG management acknowledged the breach in a press release, stating that they are "investigating the matter with relevant authorities" and have temporarily taken the student portal offline for security patching.

Impact

With matric numbers, names and academic records exposed, affected students face risks of academic fraud, identity theft, and targeted phishing attacks — particularly during NYSC mobilization and job application periods.