Hacked UC Berkeley Data Allegedly for Sale on a Cybercrime Forum Raises Questions the University Refuses to Answer
Categories: Data Breach, Digital Footprint
A look at the claims, the actors amplifying them, and the absence of a formal campus disclosure
On July 31, 2025, a dark-web monitoring firm said a “full university database” tied to UC Berkeley had been put up for sale. Within days, another cyber-intel team published a summary of a forum listing that allegedly offered a Berkeley database in SQL or CSV format, with phpMyAdmin access, and data categories that included student and faculty details, seminar information, usernames, password hashes, and school-related payment records. None of that has been confirmed by the university, and no public technical evidence has been shared that would allow independent validation.
Social accounts that track dark-web activity amplified the forum post in early August, attributing it to a threat actor going by “ByteToBreach.” One campus newspaper’s social feed reported that the actor claimed the database sold for about eight hundred dollars. Claims about pricing and sale status come from the alleged seller and are not verified.
Meanwhile, a class-action law firm published a page saying it was investigating the alleged breach and explicitly noted that UC Berkeley had not acknowledged the incident at that time. This type of legal “investigation” post often follows unverified dark-web chatter and should be read primarily as a marker of interest rather than confirmation.
What the public record shows
- A timeline of claims, not proof.
• Jul 31, 2025: HackNotice publishes a short item saying a full UC Berkeley database is for sale.
• Aug 4, 2025: SOCRadar posts the most detailed summary of the alleged listing, including file formats and data types.
• Early Aug 2025: Dark-web news accounts circulate the claim, naming “ByteToBreach” as the actor. A Daily Cal social post repeats the seller’s assertion that the data sold for about eight hundred dollars. - No matching disclosure from the university.
UC Berkeley’s Information Security Office maintains an active news and alerts feed, which in 2025 has warned about phishing, scams, and software vulnerabilities. As of today, there is no public notice that confirms the specific July or August incident described in the forum posts. That absence does not prove the claim is false, but it matters because UC campuses typically publish formal notices when regulated personal information is confirmed exposed. - Legal and policy backdrop.
The University of California system has faced increased scrutiny over campus security and privacy this year, and several campuses have issued other types of notices unrelated to this allegation. None of that changes the verification status of the Berkeley forum claim, but it underscores why a clear official statement would be significant.
What remains unverified
- Authenticity and freshness of the dataset.
No credible third party has published sample records with sensitive details redacted that would allow independent verification against nonpublic systems, and no known victim notifications refer to this forum event. The SOCRadar post summarizes the listing’s assertions but does not establish that the data are real, recent, or campus-wide. - Scope.
Phrases like “full university database” often inflate the scale of an incident. Many dark-web listings later resolve to a single departmental system, a testing environment, or stale data taken from a third-party service. Without a technical report or a campus notice, the scope is an open question. - Root cause.
The listing does not provide forensics. Causes in similar cases range from direct compromise to exposed management panels to vendor-side leaks. Until the university or a reputable investigator provides details, the cause is speculation.
Why the absence of a notice matters
California law and UC policy trigger public notification duties when specific classes of personal information are confirmed exposed. UC Berkeley’s security site shows routine activity on other risks in mid-2025, which suggests the communications channel is active. If the campus had validated a breach of regulated data, a formal entry on that page is a reasonable expectation based on past practice. The lack of a matching entry is therefore a critical data point in weighing credibility, though it is not dispositive.
Practical guidance for students and staff while facts are scarce
- Reset reused passwords and enable two-factor authentication on any campus-adjacent accounts. Phishing waves that leverage campus branding remain a live risk.
- Treat targeted messages that reference courses, payroll, or bursar items with caution. Attackers often weaponize real campus terms, even when a specific breach is unproven.
- Monitor the Information Security Office page for any later confirmation or guidance. If a formal notice appears, follow its steps, which in past incidents can include credit monitoring or additional safeguards.
What would settle the question
- An official UC Berkeley or UC Office of the President notice that identifies affected systems, dates of access, and categories of data.
- Independent technical validation that the dataset contains current, nonpublic Berkeley records with table structures or identifiers that match campus systems, shared in a way that protects individuals.
Bottom line
There is a coherent thread of claims that a UC Berkeley database was offered for sale in late July, and there are secondary posts describing formats and supposed contents. There is not, at this time, a verifying disclosure from the university or a reputable third-party forensic report. The story is consequential if true, but the evidentiary bar has not yet been cleared in public. Until it is, treat the listing as an allegation, harden your account security, and watch the official channels for confirmation or refutation.
