Students at the University College London were subject to thousands of spam messages after pranksters created an email thread including every student of the university. The email that sparked off around 3,000 replies simply contained one word: “bello”.
With access to the internal email address of ‘[email protected]’ students took full advantage of the security breach and began to have a little fun. This meant a whole host of Bello-related puns, most famously a parody of Lionel Richie’s ‘Hello’ with “Bello, is it me you’re looking for?” Then came the subscriptions to numerous websites and mailing lists including: porn sites, dating sites and even UKIP. Some people desperately pleaded for everyone to stop hitting ‘Reply all’, but their voices were drowned out in a sea of spam. Soon #Bellogate was trending at the top of the UK trends on Twitter and students were frustrated at the onslaught their inbox had been taking.
Although the whole event is rather humorous it does raise the question of how secure students’ university email addresses are and how pranksters managed to infiltrate the system. On the 10th October, UCL issued an apology to their students and tried to explain what had occurred. They said:
“The email originated from an anonymous account which we cannot trace.”
“For reasons we are trying to establish, no moderation was setup on the email list which meant anyone could send to the list. This meant the reply-all responses and sign-ups to various external sites caused a large number of spam emails to students.”
“ISD [Information Services Division] will be holding a comprehensive review of the control mechanisms for group email creation and email security at UCL.”
It seems that UCL does not know how Bellogate came into being but they intend to tighten their security so that it will not happen again. They have also said that no security / personal data has been breached as all messages were sent to a group email and not to individual email addresses. Those who replied onto the email thread will have given access to their email address, but otherwise no information was stolen.
So should students now be worried about the safety of their university email address? No more than usual. In the case of Bellogate the “anonymous account” could only spam people’s inboxes, it could not, for example, read the recipients emails or access their bank accounts. It may not have been the best idea to respond to the thread and to make your email address known to the entire university, but on the whole the worst thing to come out of an event like this is the necessity to clean 3,000 spam emails out of your inbox.
This seems very much like an isolated incident that is of no real concern to the majority of universities and their email systems, merely a lapse in security of UCL’s own system on one particular evening when somebody decided to have some fun. It may not be known how or why the prankster managed to spam all of his peers, perhaps they did indeed seek the chaos that would certainly follow or maybe they just came to say “bello”.