department menu

Recent Discovery of Account Compromise

6/16/16

by Jeroen Barendse

Four years ago, LinkedIn was hacked.  Three years ago, Tumblr was hacked, but the company didn't realize it until last month.  Similarly, the LinkedIn hack of four years ago recently uncovered new information; what they thought was a breach of 6.5 million passwords turned out to be 117 million.   Often, these breaches are discovered only after a large collection of identities is offered for sale on the black market.  Researchers then must spend time to determine the common link between identities to determine the source of the hack.  All the while, companies most often deny that they were breached, so accurate and timely information about these situations is, unfortunately, rare.

Why is this important to our campus?

Recently, our campus has received several notices that campus identities (i.e. email addresses)  were used to sign up for sites like LinkedIn and Tumblr, and that the usernames and passwords used for these sites were found in a publicly available "credential dump" online. This puts our campus at risk because these passwords may have been used on our campus; studies show that people frequently reuse passwords.

What are we doing about this?

For faculty/staff: Please note that this is one of the reasons you are required to change your password periodically.  If you have not changed your campus password recently, we will be requiring you to change your password within 24 hours of receiving a notification from infosec@csusm.edu.   

For students: As a precaution, we have scrambled the passwords of users who were identified in the credential dump and who have not change their password within the past six months.  We believe that these actions are necessary due to the frequent practice of password reuse, and the fact that we do not (yet) require students to periodically change their password. If you believe you are affected by this, please contact the HelpDesk at helpdesk@csusm.edu.  

What should you do about this?

If you have a LinkedIn and/or Tumblr account and haven't changed your password to these sites in the last year, you should do so immediately.  You should develop the habit of changing passwords periodically, and more important, avoid reusing passwords at multiple sites.