Netvora logo
Submit Startup Subscribe
Home About Contact Submit Startup Subscribe

Cyber Attack on TU Eindhoven via Stolen, Reused Passwords

Comment

Cyber Attack on TU Eindhoven via Stolen, Reused Passwords

Netvora May 19, 2025 at 09:30 AM Security
Cyber Attack on TU Eindhoven via Stolen, Reused Passwords

Cyber Attack on TU Eindhoven via Stolen, Reused Passwords

By Netvora Tech News

The attackers who gained access to the network of Eindhoven University of Technology (TU Eindhoven) used stolen and reused passwords from VPN accounts. It was already known that these accounts had been compromised earlier. The university had requested account holders to change their passwords, but these users reused the old password, which was not automatically blocked. Moreover, two-factor authentication (MFA) was not applied to the VPN, allowing attackers to log in with just a username and password.

According to the investigation, the attackers first logged in on January 6th. Five days later, they managed to elevate their rights. On January 12th, they attempted to shut down the university's backup solution. Twenty-five minutes later, the university took the network offline, effectively stopping the attack. Before the attack was stopped, the attackers had acquired enterprise administrator rights.

Traces of the attacker were found on 91 systems. On 14 systems, "hands-on-keyboard" activities were performed, while on the remaining 77 systems, only login activity was detected without further action.

The university has since addressed the vulnerabilities in its own security that the attackers exploited. The identity of the attackers and their motives remain unknown, but it is suspected that they may have been a ransomware group.

"The reality is that we had hackers inside, which meant the university was paralyzed for a week, causing significant consequences for students and employees," said TU/e vice-rector Patrick Groothuis. "We will take the advice from the reports to heart and continue to invest in strengthening our cybersecurity. It remains a cat-and-mouse game where you can never stand still."

  • The attackers used stolen and reused passwords from VPN accounts.
  • The university had requested account holders to change their passwords, but some reused the old password.
  • Two-factor authentication (MFA) was not applied to the VPN.
  • The attackers first logged in on January 6th and managed to elevate their rights five days later.
  • The university took the network offline on January 12th to stop the attack.
  • The attackers had acquired enterprise administrator rights before the attack was stopped.
  • Traces of the attacker were found on 91 systems, with 14 systems showing "hands-on-keyboard" activities.

Comments (0)

Leave a comment

Back to homepage

You might also like