When they first heard that someone had bragged in a blog post about hacking into their website, officials at Metropolitan State University weren't sure what to make of it.
The hacker, they were told, appeared to be a teenager from Australia who claimed to have attacked Metro State's website, and dozens of others, on a whim.
Within a week, they discovered that it was no idle boast.
On Friday, the university announced that it was investigating a security breach that could have exposed personal information about an unknown number of students, faculty and staff.
In a campuswide e-mail, interim president Devinder Malhotra disclosed Friday that a university database had been breached, and that people on campus should be on the alert for identity theft.
"We do not believe this server contained any financial data or credit card information," he wrote, but it did include personal information, including employee Social Security numbers.
Officials say they learned about the problem Jan. 2, when a cybersecurity service notified the university about the hacker's blog post.
"This particular person was claiming to have hacked into 75 different websites, and we were just one of those," said Anne Sonnee, interim vice president for communications.
She said the university waited until Friday to announce the security breach because it took time to verify that someone had, in fact, hacked into the system and improperly accessed information and to disable the flaw in the security system. She said officials wanted to ensure that the system was protected "from further attack" before going public and risking "copycat" hackers.
She said she had no information on whether investigators have been able to trace the identity of the hacker. She said the Secret Service is investigating.
At this point, Sonnee said, it's still not clear what information the hacker obtained from the school's database.
The university has switched its website to a new server to prevent further security breaches. That change resulted in some computer glitches for students and others trying to access the Metro State website Friday. Sonnee said staff would be working through the weekend to fix those problems.
The school has about 11,500 students and 1,200 faculty and staff.
In the campus e-mail, Malhotra urged faculty, staff and students to watch for suspicious activity on their credit cards and other financial transactions. "The university sincerely regrets this apparent breach and any inconvenience it may cause," he wrote.