Gotcha. Then maybe it is time for them to have a conversation with the friendly network administrator. You might have lost your logs, but university network appliances usually log alot.

Perhaps it’s something that I’m missing. What do you mean when you say their email is confirmed?

Usually when this happens, it’s a result of someone taking advantage of an application vulnerability, e.g. sql injection. Sometimes it’s more serious, like a script uploaded and a privilege escalation to execute it. The email value written to your database could be anything.

Not to condescend, but this is a good learning experience. If they were able to write to your db, they could likely also read from it, dump the whole thing and harvest the data.

How can you determine that someone didn’t use their info as subterfuge? It sounds like most people could find that information and use it. You’ll need a little more evidence.

Personally, I’d ask them if they want to pen test my next application and see how they respond.

For many, a mobile device is their sole computer, and things of importance to them are stored on it.