An email from the University Information Policy Office and the University Information Security Office sent to IT professionals Tuesday reported that 2,537 sets of IU credentials had been compromised.
About two billion records were publicly posted online and about 45,000 of those were associated with IU email domains.
After receiving the reports yesterday, IU tested the posted credentials and found that most of them were not valid. However, more than 2,500 were able to successfully access IU resources.
According to the email sent Tuesday, 2,240 of the credentials were associated with alumni accounts, four were for retired staff and two were for former employees.
Because the majority of credentials were associated with former University students and employees, this limited access to important institutional data. IU will be scrambling the account passphrases to prevent any unauthorized access, as they do with all compromised accounts.
The email addresses and passwords came from breaches of other sites like LinkedIn, Adobe, MySpace or Dropbox, Daniel Calarco, chief of staff for the Office of the Vice President for IT and CIO, said.
Sometimes people use their IU email addresses to sign up for these websites and use the same passphrases, Calarco said.
The majority of the posted accounts weren’t valid because IU requires passphrase resets every two years, strict passphrase requirements and most people do not reuse the same passphrase, Calarco said.
“It’s exactly why we have rolled out two-step logins,” he said. “Even if someone reused their IU passphrase on some other company website, even if that site was breached, and even if they had not reset their passphrase in years, the cyber-criminals still would not be able to use the passphrase to access IU systems because they would also need to steal the user’s Duo device.”
Calarco said this is an example of how IU’s technical defenses have successfully guarded against human behavioral risk.
This breach of data has come amidst a recent international ransomware attack that has hit about 150 countries. Ransomware is a type of software that is designed to block access to a computer system until a ransom is paid.
Ransomware attacks generally target large institutions, such as hospital networks, universities and government operating systems.
A piece of ransomware, known as “WannaCry,” attacked businesses, government entities, and most notably, Britain’s National Health Service on May 12. Cyber-criminals exploited devices running Windows and spread across network systems through file sharing and phishing emails, Calarco said.
IU sent an email to IT professionals May 15 warning them of security risks related to the recent ransomware attack. It said IU’s security team put in blocks immediately Friday to help prevent a similar attack on the University system.
However, there are more than 200,000 devices connected to the IU network at any given time, so it is a challenge to protect them all.
There have been no infected devices detected yet, but IU students, faculty and staff should still be alert and look out for suspicious emails.
“If they receive a message that looks like it’s from Facebook, Google or IU, they should type in the web address, like one.iu.edu and then search to see if they have any notifications or messages, instead of clicking links,” Calarco said. “Also, when they receive a desktop notification from Windows, MacOS, Android or iOS that says they need to update software, they should do so as soon as possible.”