Follow-up to IA advisory about U-M account credentials and Chegg data breach

10/04/2019
badge

This information was sent to U-M IT staff groups through email on October 4, 2019. It is intended for U-M IT staff who were affected by the password data breach at Chegg.

Hello IT Security Community and Frontline Notify,

Thank you to those of you who assisted students and others whose passwords were reset last week as a result of reuse at U-M of passwords exposed in a data breach at Chegg. Thank you to all who were affected by this for your understanding and patience as we worked to bring in additional staff to reduce the wait time for people contacting the ITS Service Center.

 Password resets are complete. All UMICH (Level-1) passwords that matched passwords exposed in the Chegg data breach have now been reset, and the threat from this particular breach has been mitigated.

 A summary of actions taken to investigate and resolve this incident, and keep you informed, is provided below. This has also been posted as an update to the advisory on Safe Computing.

 Reminder that security is a shared responsibility. We all have a part to play in securing the university's systems and data, as well as our own.

  • Use unique passwords for each account and site. Password reuse and sharing expose the university and the user to unnecessary risk.
  • Use two-factor. Use of two-factor (Duo) for Weblogin stops an attacker who has your UMICH password from logging in to Wolverine Access, your U-M Google Mail, and other U-M services that you log in to via the Weblogin webpage. This is why we are expanding use of Duo at U-M by requiring students to use it as of January 2020.

 Thank you for all you do to protect the university's systems and data!

 

 Sincerely,

ITS Information Assurance

Summary of Events

  • Sept. 22-23.Compromises discovered. A number of compromised U-M credentials relaying spam and scam email were identified. Passwords for these accounts were reset (randomized) following normal procedures for handling compromised accounts. Investigation by ITS Information Assurance (IA) led to increasing confidence that the compromised credentials matched those exposed in a 2018 data breach at Chegg that were recently posted online. 
  • Sept. 24. 
  • Sept. 25. 
    • ITS Service Center wait times lead to increased staffing. As the number of compromised credentials being misused continued to increase and passwords for those accounts were reset, students needing password resets to regain access to their accounts experienced longer than usual wait times when calling the ITS Service Center. ITS increased staffing for the rest of the week.
    • Proactive investigation. IA proactively identified UMICH passwords matching those exposed in the Chegg breach and made plans to reset those to prevent misuse.
  • Sept. 26-30.Proactive password resets. IA proactively reset UMICH passwords matching those exposed in the Chegg breach, including those that had not yet been misused. This was done in batches to minimize disruption.
  • Sept. 27. Faculty notified. ITS sent email to faculty, instructors, and leaders to let them know about the issue: ITS is taking action to protect U-M accounts
  • Sept. 28. Advisory updated. The advisory on Safe Computing was updated with additional information and a link to the faculty notification.
  • Oct. 3. Incident closed. In total, passwords for more than 4,500 U-M accounts were reset.
  • Date to be determined. Impacted students to be surveyed. ITS will invite students whose passwords were reset to share their feedback about their experiences, as well as provide them with safe computing tips, password management tips, and reminders to turn on two-factor (Duo) for Weblogin.
Security