Officials at George Mason University, where hackers captured personal information about thousands of students and staff from the institution's database, say it is not clear whether the hackers specifically were seeking the confidential files.
"We have no idea what they were looking for," said Daniel Walsch, a GMU spokesman.
The hacking raises the fear that as many as 32,000 students, faculty and staff members connected to the university could become victims of identity fraud.
Mr. Walsch said a member of the school's information technology unit discovered the security breach Jan. 3, but that the violation might have occurred as early as Nov. 4.
The ID server that the hackers accessed contained names, photographs, Social Security numbers and campus identification numbers.
Law-enforcement authorities said yesterday that they think the hackers installed tools on the ID server that enabled them to access other servers at the school.
The authorities said the other computer systems might have been the real targets, but it could not be determined yesterday whether other programs might have been accessed.
GMU officials said there was no evidence that any personal information obtained from the IDserver had been used illegally.
Still, many students who wereon campus yesterday preparing for spring-semester classes said they were concerned.
Sara Fernandez, a sophomore from Arlington, said that even if the hackers were not trying to steal personal information, they might have pointed the way for copycats.
"Mason's full of a lot of smart students," she said. "If one person can do it, I'm sure someone can figure out how to do it again."
Kia Kianersi, a communications majorfrom Fairfax, said he thought the university had tighter security for its server.
"We're so close to Washington, D.C. I think our security would be [better] overall," he said.
Robert Ricks, a 29-year-old computer science major and part-time university employee, said he was recently hired as a summer intern for a company in Reston and was worried there might be problems with his security clearance because his information was stolen.
Mr. Ricks said he called the TransUnion credit bureau yesterday to check his credit activity.
"If someone wants to open a credit card under my name two years from now, who knows?" he said.
Mr. Walsch said campus police have taken the lead in the investigation and have the discretion to ask for assistance from other agencies or forensic experts.
GMU officials also sent an e-mail informing students about the incident and how to protect against identity theft.
Most students have not returned from the winter break to GMU, which has campuses in Fairfax, Arlington and Manassas. The school's spring term begins Jan. 24.
Mr. Walsch said this is the first incident of its kind at GMU. But the exposure of student records is a growing problem nationwide.
Last year, an unsecured computer at the University of California at Berkeley allowed hackers to get away with 1.4 million personal records. In 2003, hackers stole confidential information from the Georgia Institute of Technology and the University of Texas at Austin.
GMU officials said the school was in the process of replacing students' Social Security numbers -- which had been used as their school identification numbers -- with other numbers to protect against identity theft. The move was in response to a law passed last year requiring the removal of Social Security numbers from various ID cards to deter identity theft.
Shirley Rooker, president of the Bethesda-based nonprofit Call For Action Inc. consumer watchdog, said using Social Security numbers as student identifiers is a "bad policy."
"I don't think any university, any school, any health club should ask for it -- period," she said.
Ms. Rooker said potential victims need to check their credit reports immediately.
"If they have any reason to believe their information has been compromised, they should go to the credit bureau to get a copy of their credit report," she said, adding that they should continue to check their credit reports about every three months.
She said months could pass between the time a thief applies for a credit card and when he or she begins using it and becomes delinquent on payments, at which point the victim is notified.
"No one should feel confident because an amount of time has lapsed and there are no signs," she said.
Ms. Rooker said a person who is concerned that he or she is a victim of identity fraud can file a fraud alert with one of the three major credit bureaus -- TransUnion, Equifax and Experian. The bureau then will issue a copy of the person's credit report and notify the person if any credit applications are submitted in his or her name.
Consumers can visit www.callforaction.org or call 866/IDHOTLINE for more information.