ADVISORY: Some U-M student account credentials compromised through password reuse (updated)

Friday, October 4, 2019

10/4/19 update: This update was sent via email to U-M IT staff groups.

  • Password resets are complete. All UMICH (Level-1) passwords that matched passwords exposed in the Chegg data breach have now been reset, and the threat from this particular breach has been mitigated.
  • Thank you! Thank you to those of you who helped people in your unit regain access to their accounts. Thank you to all who were affected by this for your understanding and patience as we worked to bring in additional staff to reduce the wait time for people contacting the ITS Service Center.
  • Summary of actions taken:
    • Sept. 22-23. Compromises discovered. A number of compromised U-M credentials relaying spam and scam email were identified. Passwords for these accounts were reset (randomized) following normal procedures for handling compromised accounts. Investigation by ITS Information Assurance (IA) led to increasing confidence that the compromised credentials matched those exposed in a 2018 data breach at Chegg that were recently posted online.
    • Sept. 24.
      • Compromises increase. The number of compromised credentials being misused continued to increase throughout the day.
      • IT staff notified. IA sent and posted an advisory (see below).
    • Sept. 25.
      • ITS Service Center wait times lead to increased staffing. As the number of compromised credentials being misused continued to increase and passwords for those accounts were reset, students needing password resets to regain access to their accounts experienced longer than usual wait times when calling the ITS Service Center. ITS increased staffing for the rest of the week.
      • Proactive investigation. IA proactively identified UMICH passwords matching those exposed in the Chegg breach and made plans to reset those to prevent misuse.
    • Sept. 26-30. Proactive password resets. IA proactively reset UMICH passwords matching those exposed in the Chegg breach, including those that had not yet been misused. This was done in batches to minimize disruption.
    • Sept. 27. Faculty notified. ITS sent email to faculty, instructors, and leaders to make them aware of the issue: ITS is taking action to protect U-M accounts.
    • Sept. 28. Advisory updated. The advisory below was updated with additional information and a link to the faculty notification.
    • Oct. 3. Incident closed. In total, passwords for more than 4,500 U-M accounts were reset.
    • Date to be determined. Impacted students to be surveyed. ITS will invite students whose passwords were reset to share their feedback about their experiences, as well as provide them with safe computing tips, password management tips, and reminders to turn on two-factor (Duo) for Weblogin.

-------------------------------------

9/28/19 update: ITS has notified faculty, instructors, and university leaders that some of the students they work with may experience a brief, temporary interruption in their access to university online resources and need to get their UMICH password reset as a result of the Chegg data breach and password reuse (see details below). ITS Information Assurance is continuing to monitor the situation and mitigate compromised account credentials as needed, working closely with the ITS Service Center to ensure appropriate staffing levels to minimize disruptions as much as possible.

To protect yourself and the university:

  • Do not reuse your UMICH (Level-1) password for any non-university site or service. Once criminals have access to lists of user IDs and passwords, like those exposed online from the Chegg data breach, they can use them to compromise other accounts that use the same credentials.
  • Use a unique password for each account. See Manage Your Passwords for general password management tips.
  • If you have used your UMICH password for non-university sites or services, change your UMICH password to something unique. For other situations where you should change your password, see Password Security Checklist.
  • If you have used the same password across multiple accounts and sites, change those passwords so that each is unique. And set up two-factor authentication for your personal accounts if it is available.
  • Turn on two-factor for Weblogin (Duo) if you are not already using it. Use of Duo with Weblogin stops an attacker who has your UMICH password from logging in to Wolverine Access, your U-M Google Mail, and other U-M services that you log in to via the Weblogin webpage.

-------------------------------------
The information below was sent through email to U-M IT staff groups on September 24, 2019.

ITS Information Assurance is randomizing passwords for a number of UMICH accounts with compromised credentials—about 1,000 as of this morning. Those whose passwords are randomized will need to call the ITS Service Center for a password reset.

No U-M systems were compromised. These account credentials were compromised as a result of a data breach outside the university combined with reuse of UMICH passwords for a non-university service.

Email addresses and passwords exposed in a 2018 data breach at Chegg, an online textbook provider, have been made available online. Several universities, including U-M, have seen malicious use of these email addresses and passwords in recent days.

Although Chegg reset user passwords back in 2018, some people use the same password across multiple sites, often in conjunction with a single email address. Password reuse is a bad idea. Malicious actors can then use the exposed email address and password to compromise other accounts that use the same password.

The affected accounts at U-M are ones where the user set their UMICH (Level-1) password to be the same as their 2018 Chegg password. Most of the affected accounts are owned by students, with a small number owned by alumni and by staff members who have also been students.

The compromised account credentials were largely used to relay work-at-home and online-romance scam email through U-M email servers. The credentials do not appear to have been used to actually log in to U-M Google Mail or other U-M services.

Would you please help with the following?

  • If students or former students come to you for help because their UMICH password isn't working, direct them to the ITS Service Center for a password reset.
  • Remind people not to reuse their UMICH password for any non-university site or service. Use a unique password for each account. Direct people to Manage Your Passwords for general password management tips.
  • Encourage students who have not yet turned on two-factor for Weblogin (Duo) to do so now. Use of Duo with Weblogin stops an attacker who has your UMICH password from logging in to Wolverine Access, your U-M Google Mail, and other U-M services that you log in to via the Weblogin webpage.

References

Additional references as of 9/28/19: