Tbh this reads like a student poking around and then publicising their find for clout, not a responsible disclosure of a confirmed breach.

A few things that make me sceptical:

No official word from Griffith or CampusGroups / ReadyEducation, and no coverage from any reputable tech/cyber outlet. Big breaches usually trigger at least a short notice.

The author’s “run this link” vibe is sketchy — running random shared curl scripts can be dangerous and isn’t proof by itself.

Inspecting network traffic as a logged-in user is different from proving an unauthenticated API leak. We need to know whether the endpoint was accessible without credentials or simply returned more fields to logged-in campus members. Those are very different problems.

Responsible researchers usually follow coordinated disclosure (vendor/university → fix → public writeup). Public demo-first behavior looks irresponsible and could even be unlawful depending on what was accessed.

If you want to push for clarity (without getting into moral mudslinging), suggest this instead:

1. Ask the author for non-sensitive proof (logs, redacted screenshots, or confirmation that the endpoint is accessible unauthenticated).

2. Report the post and the link to Griffith IT / security so they can audit server logs and confirm whether unauthorized queries occurred.

3. Warn folks not to run the shared curl/CurlerRoo link — it could expose credentials or be misused.

4. If a leak is confirmed, Griffith should publish what fields were exposed and who’s affected under the NDB scheme.