The personal data of 146,000 students and recent graduates of Indiana University, including their social security numbers and addresses, may have been exposed during a data breach, the university said in a statement.
Among those affected are people who attended the university from 2011 to 2014 at seven of its campuses, it said late on Tuesday.
"The information was not downloaded by an unauthorized individual looking for specific sensitive data, but rather was accessed by three automated computer data-mining applications, called webcrawlers, used to improve Web search capabilities," it said.
The university found last week that the data had been stored in an insecure location for the past 11 months.
It then locked down the site and moved the data to a secure server the following day, it said.
The university notified the state's attorney general about the breach. It also set up an information hotline and a website to assist those concerned their data may have been exposed.