Photo: Louie Douvis
The hacker who stole the personal details of thousands of Australian military personnel used a simple technique that would fail to breach most modern security systems.
Darwinare, who describes himself as ''the first black hacker'' and is linked with online activists Anonymous, used a method called SQL injection last month to access a University of NSW database at the Australian Defence Force Academy.
He then dumped the data - the full names, dates of birth and other details of about 12,000 former and current ADFA students and staff - onto a pub-lic website.
SQL injection involves visiting a website that asks for information, such a username or password, but entering a coded instruction instead.
In this case, the ''injected'' command sent the entire database to the hacker.
Darwinare, who says he is a student in the mid-west of the United States, told Fairfax Media he was shocked at the lack of security, saying he was '''very surprised I didn't get kicked out … So simple, took like three minutes. Literally, like, three f---ing minutes!''
He used the same method for previous ''hacks for fun'', including raids on university databases in Michigan, Connecticut and Colorado, and the British arm of online bookstore Amazon.
He also employed SQL injection against Israeli government websites last month as part of Anonymous's response to Israel's airstrikes in the Gaza Strip.
About a week before his attack on the University of NSW database, Darwinare watched and shared a YouTube video called Basic SQLi for dummies, which has since been deleted.
A senior engineering lecturer at RMIT University, Mark Gregory, said SQLi was a dated hacking technique that would nonetheless work against most Australian universities.
''It's easy to protect against, but universities spend very little money on security. They're easy targets for hackers.''
Yet Dr Gregory said the University of NSW at ADFA should have been better prepared because of its connections with the military.
''That place gets a huge slab of funding from Defence,'' he said.
''The question is: why on earth were the SQL ports of student databases accessible to anyone outside the university?''
The university says it took immediate action to mitigate the attack's effects and ''removed any possibility of further hacking''.
One online activist, who uses the pseudonym Pablo Neruda, was unimpressed with Darwinare two weeks ago after he stole data from the University of Connecticut, saying his attack ''only adulterates hacktivism''.
Pablo Neruda tweeted to Darwinare: ''Sounds to me like your goal was as pointless as female odalisques.''