HIT Hacked Again? More Than 3 500 Student Account Credentials Leaked

Farai Mudzingwa Avatar
Harare Institute Of Technology

Last year in June, the Harare Institute of Technology (HIT) was hacked and the individual behind the hack demanded US$999 (then later $6.4 billion) in order to return the files. This hacker also claimed to have secured some – in fact ALL- HIT databases and now there appears to be a new database that contains students information. Or is it a database from that last leak that has seen the light of day somehow? We are not entirely sure to be honest.

What now?

The leaked database contains the sensitive information of over 3 500 students and the details leaked include:

  • Registration Number (Regnum)
  • Passwords
  • Firstname
  • Surname

HIT students, you may want to change your password

The leaked database has already been viewed by over a 100 people – a rising number- and the page where it’s linked will expire in 27 days (which we won’t link to for obvious reasons). If you’re a HIT student it’s advisable to change the password on your Student Account. I say this because even though I’m not sure what is in the student accounts, I’m assuming there’s some important and personal stuff in there.

We are not sure if this data is from the last incident…

I personally know one of the students on the database but they enrolled before June’s hack so this seems like data from that hack. After the 2017 hack, HIT’s Head of Public Relations Mr Mutema had this to say:

I can confirm that we were attacked yesterday at around 4:30AM. Social media is however blowing the whole matter out of proportion. The attackers hacked into our website. They had temporary control of the servers hosting our website and emails. We pulled our systems from the internet until we managed to sort out the matter today (yesterday).

If this data we’re seeing now is from that leak, Mr Mutema may have slightly twisted the truth about this incident since this seems like a bigger deal than he cared to admit at the time. I guess the truth always finds a way out after all…

We reached out to HIT to confirm if this database was accessed after last year’s hack or if this is an entirely new leak. The support assistant we contacted could not put us through to who we were trying to get a comment, so we will add HIT’s response once they have responded.


  1. Davie

    An institute of technology that can’t implement basic web security practices. Get some of your comp science students regularly do penetration testing for crying out loud! makutibhowa manje.

  2. Lorde Destro

    Yeah well. It was going to happen sooner or later. Glad it wasnt by ny hand 🙂

  3. Lorde Destro

    @davie.. Theyre comp science student dont know shit. my friend has half of the entire squad as clients for projects. besides comp science doesnt have much a security scope

  4. Xolani

    there are Information Security students also

  5. nzara square

    the thing at HIT is that students do some of these projects and the institute I feel it does not want to implement from the students .There is Comp Science ,Software Engineering ,IT,Information Security all both capable of doing so

    1. Lorde Destro

      Having students doing something does not mean its good enough to fly on an institutional level HIT is. perhaps talk of lecturers teaching InfoSec because they probably know a bit more but obviously not enough

  6. Tsitsi Flora

    @Davie it’s an ICT thing at HIT even the lecturers in Cyber security are not allowed to interfere with such breaches. They let the ICT department handle it, worse off us students. Can i have the link to the data to check my details 😂😂😂

    1. Lorde Destro

      Tsisti your schools security sucks and you know it,your lecturers suck together with your ICT as well as the students too

    2. Farai Mudzingwa

      You can contact the techzim Facebook page and give us your name and surname and we’ll check because once the link is in circulation that doesn’t really help the stuation.

  7. Militant Saungweme

    Fake News

    1. Lorde Destro

      I’m calling it a bluff too, this is probably techzim out of publishing content

      1. ItsJustMe

        Hahaha…Checking your other comments, i thought you were also saying they were hacked fo sho…which side you on? lol

        1. Lorde Destro

          Im there stuck inbetween “holy shit they were hacked again” and the “meh.. its a bluff”

          1. ItsJustMe

            Me am stuck at, “holy shit, they got hacked again” and “holy shit them hackers from last year finally posted the stuff”

            1. Lorde Destro

              And also “holy shit TechZim hacked HIT”……You know in all my 6 years as a hacker,2 of them being black hat, ive never heard a hacker not at least trying to take credit for their work.

              1. ItsJustMe

                haha, true true

    2. Farai Mudzingwa

      Mr Militant Saungweme, I would advise you to change your password as this name is actually on the database as well. If you need convncing you can text me on facebook:https://www.facebook.com/fmudzingwa1 and I’ll tell you your password…

      1. ItsJustMe


      2. Lorde Destro

        And Why is TechZim in possesion of this information. is withholding this information compliant with the new GDPR policy?

        1. Lorde Destro

          As far as im concerned you @TechZim are our actual worry

          1. skunkhunt42

            Who gives a crap

        2. Farai Mudzingwa

          Someone sent us a tip with the link, but if we were to share this link with our readers how many people would be compromised Lorde Destro? Much more than the ones who already have been compromised, which is why I keep insisting to you and other HIT students who think this is fake news to just text our Techzim facebook page and we can tell you your password. Is that not a fair enough resolution?

          1. Lorde Destro

            How about just mail the list to the HIT ICT department, and let them handle it whichever way they want to. Its their stuff anyway

            1. Farai Mudzingwa

              Well technically, It’s not HIT’s stuff but actually the students stuff…

              1. Lorde Destro

                Which was on HIT’s Webservers, dont you think if someone comes into your house and steals your tenants stuff its your issue to fix?

              2. Farai Mudzingwa

                So your money at the bank is the banks money?

              3. JanJan

                You don’t know what you are toking about. It is indeed HIT’s Stuff. Who manages that infrastructure , where is that data sitting. It is indeed HIT’s responsibility to have it secure.

              4. Farai Mudzingwa

                Ok JanJan, it’s HIT’s stuff.

              5. ItsJustMe

                @JanJan no offense but its your stuff. Just like you have info on Facebook and Twitter or any social platform, you own that info. Its yours.

              6. Lorde Destro

                hahahah if your money in the bank is compromised, who will you look to answer for your loss?

              7. Lorde Destro

                @ItsJustMe but the congress didnt look to us to answer to the privacy issues facebook had, because its facebooks shit… Besides, Fadzai here wants to bask in the glory of having access to your information as it stands. But im sure he is going to regret it soon. I know pretty motivated hackers who might be on his case as we speak.

              8. Farai Mudzingwa

                We are just notifying students so they can stay safe, whatever HIT decides to do is their own choice.

              9. ItsJustMe

                @Lorde Destro They didnt because Facebook is supposed to keep your data safe. Its like the bank example given above, its your money but the banking is keeping it for you..If the bank is robbed, you will complain coz its your money yabiwa..chero tichiza hedu kuti ma bank haana mari lol ..but u get the idea

              10. Lorde Destro

                We can say your intentions were pure but not quite the execution. If you had taken this to HIT you couldve done much more than the three people you had change their passwords as opposed to so called thousands

          2. ItsJustMe

            I would just tell people to change their passwords. This thing of telling people to DM u and tell their password is not necessary. If one doesnt believe you, let him/her be…I just changed mine … Hope noone saw my results lol

            1. Farai Mudzingwa

              True, that’s a bit overboard. Best course of action is to just change your password (or not change it if you do believe you’re safe).

            2. Lorde Destro

              @ItsJustMe My point exactly, and its more believable and carries a bit of urgency when your schools ICT department tells you that than a Blog…..No Offense at TechZim

              1. Farai Mudzingwa

                None taken, we are just helping the students who have been compromised, which is our job.

              2. Lorde Destro

                Youre not HIT or ministry of ICT and cybersecutiy or worse a consultant.

      3. Militant Saungweme

        kkk ko can i just have the database…since its now a pubic record?

  8. ckv

    HIT was not hacked. where are you getting all this?

    1. ItsJustMe

      How do you know nhaiwe

    2. Farai Mudzingwa

      If you are a student at HIT please text Techzim Facebook Page and we’ll check if you’re on the list and we’ll inform you what your password is, but I do advised you to change your password if indeed you’re a student…

      1. ItsJustMe

        “we’ll check if you’re on the list and we’ll inform you what your password is”……….Wait a minute………..Wait a minute………….You telling us the passwords are in plain text? Like is that it??

        1. Farai Mudzingwa

          Yes the passwords, registration numbers and the names they belong to are indeed in plain text.

          1. ItsJustMe

            Thats just wrong, bad programming and security …

            1. Farai Mudzingwa

              It’s quite unfortunate hey…

              1. Lorde Destro

                Then again,theyre the masters of zim tech 🙂 They should go to MSU and take notes, maybe a 30 day workshop.

            2. Sagitarr

              No matter how grand your programming skills are, there is always a better programmer or reverse engineering tools!!

  9. Dollar Dhuwe Dollar Dhuwe

    HIT is full shit cant even implement basic security to protect its students details…

    1. ckv

      the history say so

    2. Lorde Destro

      HIT is pretty SHIT YES

  10. Lorde Destro

    First thing is first, I’m calling it a bluff coz ive used all the search algorithms i know on most prominent SEs and nothing came up about the database.

    Second of all as a hacker ,if i have something to publish so that the general public can see, i would do put it where the public can see not a secure link or hidden link,i would make sure its highly indexed by all search eangines (SEs).

    Now thirdly if its an attack then its probably from last year because the incident from last year kind of just blew away like a passing breeze and i was sure that there was going to be more to it.

    Lastly HIT has proven that theyre not the epitome of technology in the country seen by being hacked the first time and hyperthetically thes second time coz i still call it a bluff. theyre too busy parading false superiority instead of making sure that their security is air tight. everyone at HIT is a shame from the admin all the way to the students
    As it is now, MSU is probably the epitome of Tech in the country and they have the Director with a very forward vision, So HIT, go and ask for help than constantly shame us….

    1. Farai Mudzingwa

      That is your position and I have to respect that. Judging from the comments you don’t learn at HIT. However, if you do know anyone who learns at HIT please ensure they change their password.

      1. Lorde Destro

        But why are you in possession of the information? Honestly from a security consultant’s point of view, you yourself are in breach of the basic data protection policy and quite frankly you have no policy agreement with the owners information that you hold. My advise is look the other side and pretend like you just passed through the link(if it exists) because the sole absents of this link is not reassuring on whether it exists or you are the actual perpetrator, so i think you should rather stop telling people that their names are amongst this list coz youre not making the so called situation better not for you or for the victims or for the institution. They probably have ways to handle their misfortunes, so let them.

        1. Farai Mudzingwa

          We are not in position of the data, it’s on the internet. Our job is not to look the other side unfortunately but to report these things when they happen. If we look the other side, how then do people who have their information compromised fix the situation? How do they update their passwords and prevent access from outsiders?

          1. Lorde Destro

            Thats access control on HIT’s Part, they can do all sorts of things, they can randomly run a hash algorithm on 3500 seperate words, replace their passwords column rendering all previous passwords obsolete and then run a cronjob to sent every student a new randomly alphanumeric password and then they can start to change their passwords at times of their convinience but then the whole system would be safe…..

            1. ItsJustMe

              I will bet 5 Bitcoins they cant do that stuff you just said ..lol

              1. Lorde Destro

                I can do it for them and the cryptocash is mine ?? 🙂

              2. ItsJustMe

                @Lorde Destro hell nooo… 🙂

          2. clowns @ techzim

            you are not in position of the data?? LOL !!! possession is better !!!

            1. Farai Mudzingwa

              Lol my bad, my bad!

  11. StudentX

    But pa Hit hatisviki 3500 hedu

    1. Farai Mudzingwa

      As I have replied to others, if you’re a student at HIT you can send a DM of your name and surname to Techzim’s Facebook Page and we’ll tell you your password.

      1. CyberWarrior

        With respect why are you so keen to prove yourself, If HIT was allegedly hacked as you said in the article they have noted and l suspect they will be taking their measures to safeguard their systems. There is no need for HIT students to DM you on a social media platform so that you tell them their passwords let the institution handle their matter. As a reporter your job is to report and you have reported that is the story ends there.

        Furthermore, given you already have access to their portal password what assurance do they have that you do not wish to dox them, just filling in the last pieces of your puzzle. I say so because if a student DMs you that means you now know their facebook handler and you can just scroll the timeline to learn more about that student and thereof gathering more vital information because facebook is a bit personal.

        On the other hand Farai how are you authenticating these students before you give them the passwords, because take for example l can DM you now and tell you a registration number of any student l have targeted and you will give me the password because you want to prove yourself by so doing are you not making the situation more worse.

        On a legal perspective do you have the right to provide these passwords or did the institution sign a policy with you to provide the passwords if not, i’m afraid that you might be breaching the basic data protection policy.

        1. Farai Mudzingwa

          Yeah, and I did acknowledge in an earlier comment that asking people to DM me was out of line.

  12. JanJan

    TechZim Hacked HIT period. Why should one trust you. Are you conniving with the hackers. HIT should sue you. This paper should become history.

  13. afrohacker

    HIT poses itself as the institution with technology superior to all other institutions. HIT should learn from its mistakes and upgrade all their infrastructure.

    At this rate I doubt if HIT students will be taken seriously in the industry (especially their Information Security and Assurance students) after they graduate.

    1. Lorde Destro

      I dont even employ HIT students 🙂 for anything

      1. CyberGhost

        and we dont want to work for you either

        1. Lorde Destro

          Noted with a smile 🙂

      2. vliqCliq

        try me!

  14. Lorde Destro

    If i was still in my black hat days i would have went straight for your mail exchange servers because now we know that in there is an anonymous tip with the link to the information that i could possibly use. But as a white hat hacker im going to tell you to delete the email immediately because if you yourself get hacked and more damage is done because the information got out and obtained through you then it’ll definitely be a different ball game.

    1. Farai Mudzingwa

      Thanks for the advice

  15. Whistle blower

    Not saying I know who did it…..

    But Golix security engineer might know something. The guy knows too much.

    There are few good hackers in Zim, but he is always my first suspect for local hacks.

    1. Lorde Destro

      you havent met anyone then:)

    2. vliqCliq

      hahahahahaha..wakanyanya mface

  16. Lorde Destro

    Guys we are all nissing one point here that can utterly prove that this blog is lying. Who did Fadzai get this statement below from at HIT??

    “I can confirm that we were attacked yesterday at around 4:30AM. Social media is however blowing the whole matter out of proportion. The attackers hacked into our website. They had temporary control of the servers hosting our website and emails. We pulled our systems from the internet until we managed to sort out the matter today (yesterday).”

    1. Farai Mudzingwa
      1. Lorde Destro

        but that article is from last year and you took that statement from it meaning this your post is either fake or a year late.. which one is it Fadzai? TechZim credibility might be going up in smoke..

        1. Farai Mudzingwa

          Yes there was a hack last year but at the time the database was not online which is why we are questioning if this is a new incident or if the same database has been uploaded now…

          1. Lorde Destro

            Now youre talking….. But that comment threw us away pakuti last night at 4am apo

  17. sg

    ko link yacho

    1. Farai Mudzingwa

      To prevent the circulation of a link containing students sensitive information we chose not to publish the link. If you are a student update your password.

      1. Entertain me

        and have you alerted HIT before posting your article?

  18. Lorde Destro

    Good Chat….see you on the next fake post

  19. Ahmed Salim Komichi

    Information security students are on demand just pay them

  20. Imi Vanhu Musadaro

    What is the worst a person could do with a registration number, name and password? Just curious.

    1. chamisa_advise

      Not much but some people use the same password for everything, so if by chance that compromised password is the same as say facebook a hacker could then steal your identity and post nasty stuff on your behalf or leak some of your private activities

      1. Imi Vanhu Musadaro

        Understandably so, but you would need their email address or FB/Twitter handle? A password alone doesn’t help, let’s say my password is &chinemaneji234 and my name is Tendai Mafura, what’s the next step to hack my email? My email could be tmafura, tenma, tendai or even mafura@gmail.com. The permutations increase once we consider addresses like mafura2010@gmail.com. For all you know the email address isn’t even derived from the name nor is it hosted on Gmail. Sounds like too much noise for a low threat hack.

  21. Anonymous

    Techzim motuwana kupi tunyaya twenyu tusina order utwu. Get a life!

    1. Farai Mudzingwa

      Mr Anonymous, if you’re a student at HIT please change your password so that no one accesses your information illegally…

  22. ed_has_my_vote

    I am begining to think that techzim itself ndiyo ya Hackwa, coz zvikutaurwa na @Farai Mudzingwa hazvina musoro.

  23. vliqCliq

    At least we can start by investigating techzim and farai mudzwingwa for allegedly hacking HIT. Muchatiudza kuti tip yenyu maiwana kupi?

    1. Farai Mudzingwa

      You can go ahead and investigate but if you are a student at HIT please start by changing your password before you begin your investigations

  24. HIT Vice Chancelor

    I would like to confirm the hack.

    We have taken the student portal offline. The damage this hack has both on the image of the institute and that of the students is of terrific magnitude. We will not stop our investigations until we find the people behind this hack.

    At the mean time I advise all of to to change your passwords.

    1. pardington japajapa

      how could u not expect this to happen imi kana chirungu chacho chikutokunetsai, invest more on security you are a technology university

  25. Wise owl

    Imi what’s the issue, wether the matter is fake or not TechZim brings a point to the table just change your credentials.

    And Mr Lorde Destro… please grow up stop feeding yourself lies saying you are a hacker and go get yourself a hobby or better yet enda unotsvaga mari

    Asante sana.

  26. Code queen

    Hey people.. Being hacked doesn’t sto HIT from being the best tech institution… Our lectures are not the designers of our database neither is our students… If ttz wah u do at ur institutions I’m sry ttz not wah we do so being hack is not a true indication tt we not the best but just indicates tt currently our database are not tt secured coz if I say they have no security I will be lying ciz nomatter hw much u secure ur dB there is always a btr programmer than you and when he feels like hacking he will… So watz not best tech are those or its tt person who designed the database… About the issue of coping from. MSU tt wont happen… Im sry to say this Google is admiring our students every year and graduates are being employed to America and on top of tt empressing.

    1. Van Lee Chigwada

      Is this English?

  27. University of Zimbabwe

    Taimbokuudzai kuti haisi university

  28. Chubby chivero

    Ko madii manorara muku bhadharwa here no one cares its Hit ‘s problems not ours …. at the end of the day tese tichafa and hapana anopinda denga neku hacker …… keep talking if u want but that wont stop Hit from succeeding … tese tichafa tichirwadziwa nekubudirira kwavo and vazhinji are commenting cz its hit dai tirisu MSU taingonzi vanoenda nepi basa nderekuita entertainment nezvisizvo

  29. Chibaba

    I suspect the students!!!

  30. Dipin

    A very informative blog on HIT Hacked Again? More Than 3 500 Student Account Credentials Leaked.If you are looking for School ERP Software then i would suggest Entab CampusCare since,they are the leader in school ERP by providing best School Management Software.

    With over 1200+ Clients and 18 years of experience they have developed an impeccable reputation of being the leader in the industry when it comes to school management software.

    For more info visit : http://www.entab.in

  31. JO90

    hi there! It’s great site. so many topics and opinions. I used to read, basically washingtonpost but now your site one of my favorites. Thank you!

    1. Farai Mudzingwa

      Thanks a lot, we will do our best to stay as one of your favourites…