BreachExchange mailing list archives
EDUCAUSE SECURITY BREACH AND PASSWORD CHANGE INFORMATIO
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Sat, 23 Feb 2013 16:02:03 -0500
http://www.educause.edu/educause-security-breach-and-password-change-information In February 2013, EDUCAUSE discovered a security breach involving an EDUCAUSE server. Below are answers to questions about this breach. Who was affected and what data was involved? Individuals with an EDUCAUSE website profile Any information contained in individual EDUCAUSE website profiles (e.g., name, title, e-mail address, username, and hashed password) may have been compromised. As a result, individuals with an EDUCAUSE website profile must change their password. It is not necessary for InCommon account holders to update their institutional credentials because EDUCAUSE does not have access to, or store on any server, InCommon account information. .edu domain accounts The breach may have compromised the hashed passwords of .edu domain holders. As a result, the designated administrative, technical, or billing contact must change the domain password. Administrative and technical contacts have already been notified by EDUCAUSE. As a precaution, all passwords have already been deactivated; therefore, individuals do not need to create new passwords immediately. Members and individuals who do not have an EDUCAUSE website profile or are not a .edu domain holder are not required to take action. Who was notified? Individuals with active EDUCAUSE website profiles and administrative and technical contacts for .edu domain accounts were notified via e-mail on Tuesday, February 19. The e-mail notice was sent through our mass e-mail marketing software (Informz). Links within the e-mail are redirected through this marketing product. Because e-mail delivery isn’t always guaranteed, EDUCAUSE also posted messages in social media, on its website, in several constituent and discussion groups, and on the .edu website. Members and individuals who do not have an EDUCAUSE website profile or are not a .edu domain holder were not notified because they do not need to take any action. This includes individuals who subscribe exclusively to our constituent and discussion groups. Prior to June 8, 2012, subscribers to EDUCAUSE groups were not required to have a profile; therefore, many individuals who only use this service are not affected. Was any sensitive personal or financial information accessed? Based on our investigation to date, we do not believe that any sensitive personal or financial information has been accessed. What steps has EDUCAUSE taken to prevent similar security breaches in the future? EDUCAUSE took immediate steps to contain this breach and is working with Federal law enforcement, investigators, and security experts to make sure this incident is properly addressed. Along with outside security experts, EDUCAUSE has implemented additional security measures to help prevent this type of breach in the future. As a precaution, all passwords have been deactivated. Individuals with EDUCAUSE website profiles and .edu domain holders are being asked to create a new password. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- EDUCAUSE SECURITY BREACH AND PASSWORD CHANGE INFORMATIO Erica Absetz (Feb 25)