Updating Story: Hacker Says He Stole Millions of Columbia University Admissions Records

NEW YORK - A self-described hacktivist who previously infiltrated two other major universities says he spent more than two months prowling Columbia University’s computer network, siphoning off decades of admissions data in a breach that he claims could expose the personal details of millions of students, applicants and employees.

A Two-Month Crawl Through Columbia’s Network

The intruder, who uses the alias “Computer Niggy Operations”, claims to have exfiltrated roughly 460 gigabytes of files, including nearly 2.5 million admission applications dating to the late 1990s. A slice of the trove reviewed by Bloomberg reporters appeared to show university-issued identification numbers, citizenship status and final admissions decisions. Columbia, which disclosed the attack last week after a prolonged outage, has confirmed that data was taken but says the full scope will not be clear for weeks.

“The attacker appears to have been highly sophisticated and very targeted,” a spokesman said, adding that the university has enlisted the cybersecurity firm CrowdStrike and has seen no further malicious activity since June 24, when email, learning platforms and payroll systems went dark for five days.
  

In an exclusive communication the breach-tracking site DataBreach.com, the hacker said he had obtained “full, unrestricted access” to Columbia’s core infrastructure.

“Their SIS was compromised, their AD was compromised - ADCU and several other domains - and every ESXi host in both the Morningside Heights and Syracuse data centers. Everything was compromised.”
  

To demonstrate that reach, he provided the site with a spreadsheet containing about 350,000 Columbia University Network IDs. DataBreach.com has since made the list publicly searchable, allowing students and alumni to confirm whether their own accounts were touched.

“If your UNI is on that list, your data was in the breach,” the hacker told the outlet.

Affirmative Action in the Crosshairs

The hacker said the raid was meant to reveal “whether Columbia continued affirmative action anyway” after the Supreme Court’s 2023 ruling barring the practice. He has already claimed responsibility for breaches at the University of Minnesota and New York University - attacks publicized in July 2023 and March 2025 - each time releasing data intended to show that race still influenced admissions.
 

Political Stakes and Frozen Funds

The inquiry unfolds against a volatile political backdrop. Columbia is negotiating to unfreeze about $400 million in federal research grants that the Trump administration blocked in January, first over accusations of antisemitism on campus and later over diversity programs. Evidence that Columbia weighed race improperly could complicate those talks and intensify scrutiny across the Ivy League.
 

Crown Jewels Compromised

The attacker claims to have e reached Columbia’s student-information system, multiple Active Directory domains and every VMware server in data centers in Manhattan and Syracuse, N.Y. That level of access, would allow an intruder to copy - or quietly alter - almost any record the university keeps.

What Information May Be at Risk

Although the 1.6-gigabyte sample reviewed by reporters at Bloomberg did not include names or Social Security numbers, the hacker insists that the broader cache does. If that claim holds up, the haul could expose:

• full legal names
• dates and places of birth
• Social Security numbers and taxpayer IDs
• passport, visa and driver’s-license numbers
• permanent and campus mailing addresses
• personal and Columbia email accounts
• mobile and home telephone numbers
• demographic flags such as race, ethnicity and citizenship
• complete academic transcripts and disciplinary notes
• financial-aid worksheets, scholarship and loan details
• bank-account and routing numbers used for tuition or payroll

The attacker also claims to have copied payroll files for faculty and staff, as well as spreadsheets showing financial-aid offers across income brackets - documents that could reignite debate over fairness in elite college admissions.

University Response and Potential Liability

Columbia says it will notify anyone whose information was compromised once the forensic review is finished. Under New York’s SHIELD Act and federal education-privacy rules, the university could face penalties if investigators determine that safeguards were inadequate or that notification was unduly delayed.

Protecting Yourself

Cybersecurity experts urge students, alumni and staff to place fraud alerts on their credit files, change passwords linked to Columbia accounts and remain wary of phishing emails that appear to come from university offices. Identity-theft specialists also recommend freezing credit outright to block new loan applications in a stolen name.