No U-M "data breach"—U-M user info used on 3rd party sites exposed

A list of U-M usernames and passwords exposed in various past data breaches at non-university sites and services was made publicly available in the last day or so.

THIS IS NOT A U-M DATA BREACH.

The list appears to be a compilation of older, previously published lists of exposed usernames and passwords from third-party data breaches, such as Chegg, Zynga, LinkedIn, and others). Other universities have seen similar reports (UC Berkeley emails, passwords leaked from 3rd-party websites, UC Berkeley not hacked).

No U-M systems or accounts were breached. However, a large number of U-M email addresses (with uniqnames) were included in the list. ITS is resetting UMICH passwords for a very small number of accounts where the username and password for U-M services is the same as the exposed information.

Many members of the university community use their U-M address when signing up for third-party sites and services. ITS routinely instructs users to set a unique password for each site and service and never to use their UMICH password outside the university.

Resetting affected UMICH passwords

ITS IA has:

  • Reset a small number of affected UMICH (Level-1) passwords to prevent unauthorized access to U-M sites and systems. These passwords were reused outside the university and exposed in non-university data breaches.
  • Will send email notices to the owners of those accounts letting them know what happened and instructing them to set a strong, unique UMICH password and not to use it outside the university.

Do not reuse UMICH passwords outside U-M, use two-factor

We want to take this opportunity to remind the U-M community of safe password and strong authentication practices. This includes using a unique password for each online account and using two-factor authentication for personal accounts whenever available. This is exactly why we have implemented Duo to provide additional protection for all faculty, staff, and students at U-M.

There is more information on the Safe Computing website: