bleepingcomputer.com via Reddit

CareerConnect Hack Exposes Oxford User Credentials

cybersecurity education data-breach cybersecurity university

Key insights

  • CareerConnect, operated by Group GTI, was breached May 28, exposing names, emails, and encrypted passwords for non-SSO users.
  • Oxford's own systems and student passwords were not compromised; the breach was limited to Group GTI's third-party infrastructure.
  • Oxford has now disclosed two breaches in 2026; the May Canvas LMS incident was separately attributed to the ShinyHunters group.

Why this matters

A single Group GTI breach simultaneously exposed users at Oxford, King's College London, and the University of Manchester, showing how shared EdTech infrastructure concentrates risk across otherwise independent institutions. The credential-harvesting focus of this attack pairs with the earlier ShinyHunters-linked Canvas LMS breach to leave Oxford users facing layered phishing risks from multiple simultaneous exposure events in 2026. Two breach disclosures in under two months at one university signal that UK higher education's reliance on shared third-party platforms creates systemic exposure that individual institutional security teams cannot independently control.

Summary

Oxford University disclosed on June 8 that CareerConnect was breached on May 28 via third-party provider Group GTI. Exposed: first names, last names, email addresses, and encrypted passwords for non-SSO users. No financial, course, or appointment data was involved; Oxford's own systems and student passwords were not compromised. Essentially: (Oxford University, Group GTI) the platform also serves King's College London and the University of Manchester, extending the exposure across UK higher education. - GTI invalidated all affected passwords; users must reset credentials at next login. - The breach was focused on gathering credentials to enable downstream phishing attempts. - Oxford's second 2026 incident: ShinyHunters compromised Instructure's Canvas LMS in May, exposing usernames, messages, and enrollment data. Shared third-party platforms mean a single provider breach can reach multiple elite institutions simultaneously.

Potential risks and opportunities

Risks

  • Harvested credentials from CareerConnect could fuel targeted phishing against Oxford, King's College London, and University of Manchester users already sensitized by the May Canvas LMS breach.
  • Group GTI faces multi-institutional liability if affected universities across its shared platform pursue independent data breach claims or regulatory complaints.
  • If exposed encrypted passwords are cracked, attackers gain account access to a platform connecting employer recruiters with students and researchers at three major UK universities.

Opportunities

  • Credential monitoring vendors offering breach alerting can approach all three affected institutions; Oxford, King's College London, and University of Manchester now have documented multi-breach exposure in 2026.
  • Third-party vendor security assessment firms have a clear pitch to UK universities sharing GTI's CareerConnect platform before another incident.
  • Phishing simulation and security awareness vendors can target UK higher education institutions now managing back-to-back breach notifications to overlapping user bases.

What we don't know yet

  • Total number of users exposed across all three affected institutions has not been disclosed.
  • No threat actor has been named for the May 28 CareerConnect attack, unlike the Canvas LMS breach attributed to ShinyHunters.
  • Whether King's College London and the University of Manchester have independently notified their own affected users remains unconfirmed.

Originally reported by bleepingcomputer.com

Read the original article →

Original headline: Oxford University Discloses Data Breach via CareerConnect Platform Hack — Alumni, Research Staff Names and Emails Exposed in Credential-Focused Attack