"Alumni, research staff and employer users access CareerConnect with a password set locally on CareerConnect. These passwords were invalidated by GTI and users will be asked to reset their password next time they sign in," the university said.
CareerConnect platform breach on May 28
The University of Oxford disclosed that attackers breached the CareerConnect career services platform on May 28 after the university was informed by its third‑party provider, Group GTI (GTI). The attacker access, as described by the university, included users' first names, last names, email addresses, and encrypted passwords for accounts that do not sign in using Single Sign‑On (SSO).
GTI has invalidated locally set passwords; the university said affected users will be asked to reset their password the next time they sign in. Oxford warned staff, students and external CareerConnect users they could be targeted by phishing or scam emails following the incident.
Group GTI, the vendor, and the scope of the compromise
Oxford emphasised that the incident affected only GTI's third‑party system and that there is no evidence the attack compromised university systems. The university and GTI have also reported no evidence that students' passwords or financial information were accessed.
GTI characterised the breach as focused on gathering credentials, a pattern the provider said "may lead to phishing attempts." Beyond the account data listed, Oxford stated there is no evidence that course information, uploaded files, appointment information, or financial information were involved in the incident.
Impact for users: who was affected and what will change
The university identified several categories of CareerConnect users whose accounts use locally stored passwords: alumni, research staff and employer users. Those local passwords were invalidated by GTI and affected users will encounter a mandatory password reset at next sign‑in. Users authenticating via SSO were not identified as having their encrypted passwords among the exposed fields.
Oxford has alerted its community and external CareerConnect users to be vigilant for phishing or scam emails that could follow from the credential collection. An Oxford University spokesperson was not immediately available when contacted by BleepingComputer for comment on the CareerConnect data breach.
This is the second education sector disclosure at Oxford in the last month
Oxford's announcement follows an earlier disclosure in early May involving Instructure's Canvas learning management system (LMS). In that episode, the ShinyHunters extortion gang breached Canvas and claimed to have stolen 280 million records tied to students and staff from 8,809 colleges, school districts, and online education platforms worldwide.
Instructure reached an agreement with the cybercrime group whereby the hackers returned the stolen data and provided shred logs confirming its destruction. Oxford confirmed it was one of the victims of the Canvas incident, saying its systems were not compromised there either and that the exposed Canvas data was limited to usernames, Canvas email addresses, messages exchanged between users on the platform, course names, and course enrolment information.
How King's College London, the University of Manchester and other customers factor in
CareerConnect is used by other UK educational organisations, such as King's College London and the University of Manchester, to run institution‑specific career hubs. Oxford's disclosure does not state that those institutions were affected, only that they use the same platform for their career services.
Because GTI supplies CareerConnect to multiple institutions, notifications, password resets, and phishing warnings issued through GTI and individual universities will determine how broadly the credential exposure is felt across other users of the platform.
For now, the immediate facts are clear: GTI informed Oxford of a May 28 breach of CareerConnect that exposed names, email addresses and encrypted passwords for locally authenticated accounts; GTI invalidated those passwords; and both GTI and Oxford report no evidence that university systems, students' passwords, course materials, uploaded files or financial information were accessed. The university has warned its community to expect phishing attempts as the most likely follow‑on harm.
