From the vantage point of the hour of 20.00-21.00 in Central Standard Time in Illinois, I have been tracking a story that has bypassed most of the UK’s sleeping student population. The student email system at University College London has been compromised after an unknown party gained access to the UCL Provost’s email account along with its mailing privileges; most crucially to send mass emails to ‘email@example.com’.
The beginning of the episode around one hour before midnight may have been timed to cause maximum disruption to IT services, with the UCL ISD Service Desk open between the hours of 09.30-17.00 and out-of-hours IT issues served by an automated system called NoRMAN. The Provost has issued no response to the crisis and it is likely that he along with other senior UCL faculty and managerial staff, are asleep. Emails continue to fill student inboxes, some recognised as spam but many occupying the folders normally protected by anti-spam filters.
Over 2,000 emails have been sent since the original ‘bello’ message, which included nothing but the text ‘bello!’ was sent to all UCL students at 22.47GMT on 08/10/14, ostensibly from the account of the UCL President and Provost Professor Michael Arthur. Some students have claimed that the account itself is an imposture and that no authentic firstname.lastname@example.org address prior to this existed, the closest addresses being email@example.com and firstname.lastname@example.org. In any case, the email accounts of approximately 29,000 UCL students and several thousand recent alumni are now in receipt of thousands of spam, joke and absurdist emails by the hour. Additionally, #bellogate became the UK’s top trending topic on Twitter within two hours of the first message being sent.
The breach appears to have placed the UCL student mailing list in the public domain, allowing pranksters to sign up the entire student body to mailing lists for football clubs, political parties, fan clubs and pornographic websites, to name but a few categories most prominent in the discussion of ‘#bellogate’ on Twitter. The Cheese Grater, UCL’s main student magazine, provided a screenshot of an email which linked all UCL students to the One Direction Fan Club:
Students from UCL’s longtime rival King’s College London (KCL) have capitalised on the situation with many prank messages apparently emanating from the KCL campus, including at least one message which signed up the UCL student body to the KCL application system as ‘Flight Lieutenant Bello’:
There is no indication as of yet whether the breach can or will affect mailing lists of other UK universities or whether similar vulnerabilities can be found in other .ac.uk networks. The episode has a precedent in New York University’s November 2012 ‘Replyallcalypse’, in which an email sent erroneously from an older sever by the NYU Bursar exposed the potential to access the entire NYU student mailing list through the ‘reply all’ function.
UCL management and UCL ISD services are yet to comment on the situation as of time of publication. As of 03.15GMT on Thursday 9th October 2014, prank and spam emails continue to flood the inboxes of UCL students. Academic schedules and class plans for UCL remain officially unchanged though communications between staff and students will almost certainly be paralysed as inboxes fill to capacity and new messages are ignored.
The episode may be recorded as one of the definitive student pranks of the 2010s or the exposure of major security vulnerabilities in university IT systems.