Educause Security Discussion mailing list archives
Re: Chegg Data Breach notification (Thanks to HIBP)
From: "Sonder, Henk E." <hsonder () RIC EDU>
Date: Tue, 1 Oct 2019 23:08:48 +0000
Ron, Based on your attachment I dug into the logs and found 2 emails send to the same Gmail account, with the same content in the body of the email. I read those emails as follows: Someone in Russia (based on http://ya.ru, which is a site that is still up and seems to be fronting the search site yandex.ru) is running an script that reads a CSV file with accounts, tests the username/password combination via IMAP and to confirm that the record in the CSV file has a good username/password combination, it emails that line (that is the content in the email body) to this Gmail account. Seems to be a simple and effective method to weed through tens of thousands of records and confirm that a username/password combination is still valid Henk E. Sonder Director Information Security Rhode Island College From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A. Sent: Tuesday, October 1, 2019 5:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) Just had another. One thing we started noticing last week was a single email, image attached, with a random string and comma separated fields with username, password, and smtp settings. They are all being sent to a particular address. Looks like input into a script. I think it may have been mentioned here before, but, thought I would provide specifics in case not included before. Ron Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of King, Ronald A. Sent: Friday, September 27, 2019 1:25 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) We have also had one re-compromise. Ronald King Chief Information Security Officer Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<http://www.nsu.edu/> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Frank Barton Sent: Thursday, September 26, 2019 2:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) Andrea, we just had our first confirmed 're-compromise' and are starting down the road of trying to figure out how it happened. Do you have any insight that you are willing to share on how the accounts were re-compromised? Frank On Mon, Sep 23, 2019 at 12:10 PM Tanner, Andrea <atanner3 () ccbcmd edu<mailto:atanner3 () ccbcmd edu>> wrote: Hi everyone, Our IA team said that we have had a few accounts this past week where a compromised account password was reset by the student but the account again gets compromised. We don’t allow password reuse for a specific number of past passwords. I wonder if ours is different behavior than what you folks are noticing with the Chegg breach accounts. Has anyone else been seeing this recompromise, too? Side note: It might be we are dealing with a compromise and malware combination attack or we have somewhere on our campus where we have malware installed that we must eradicate. Lots of work to do! Andrea Pronouns: She/Her/Hers Andrea Tanner, M.S. | Senior Director, Technology Support | Community College of Baltimore County Phone: 443-840-4155 | Catonsville Campus CLLB 104B | atanner3 () ccbcmd edu<mailto:atanner3 () ccbcmd edu> CCBC. The incredible value of education. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Frank Barton Sent: Monday, September 23, 2019 9:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) CAUTION: This email originated from outside of CCBC. Do not click links or open attachments unless you recognize the sender and know the content is safe. Just to 'close the loop' on this, we're seeing so many attacks based on the chegg list right now that it isn't even funny. luckily many of them are failing, but we're seeing a good number of successful 'password reuse' attacks that we can confirm are linked directly to the chegg list. Frank On Fri, Aug 16, 2019 at 7:17 PM Joseph Tam <tam () math ubc ca<mailto:tam () math ubc ca>> wrote: (Speaking as someone who deals with a few hundred, not a few thousand accounts.) Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> writes:
Are you notifying impacted users?
Yes. I make reference to the most comprehensive sites I can find that explain the data breach -- disturbingly, some vendors not very forthcoming about it-- as well as general security advice on password diversifiction, identity fraud, etc.
Are you requiring a password reset for campus systems?
No. Unless you have evidence that the same password is being used, I rely on the recipient to judge for themselves what are appropriate actions. Forcing people to change their password based on paranoia, like frequent password rotation, is counterproductive. Ken Connelly <ken.connelly () UNI EDU<mailto:ken.connelly () UNI EDU>> writes:
For all similar reports that include a password in the stolen data, we send this message to the affected accounts.
These breaches leak all sorts of data, and hashed passwords may not be as damaging as attempts at identity fraud, so I notify users about that as well. (In sig)
Any request to divulge your UNI password via e-mail is fraudulent!
Most phish will try and instruct you to enter it into a web form, but making this distinction in a short sig is doomed to failure. Reducing security to a slogan is the opposite of what you want. "Jim A. Bole" <jbole () STEVENSON EDU<mailto:jbole () STEVENSON EDU>> writes:
We subscribe to haveibeenpwned.com<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhaveibeenpwned.com&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C0d96e027bc2a4b81a8de08d74028d8c1%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C637048416493425187&sdata=KnB64niUx%2Bvo%2BbjtkHMQb4NgNbrO2%2FKKUL2ebsTE3PU%3D&reserved=0>'s domain search notification service. We= 've seen a steady increase in notifications around these types of services: - Chegg - Canva - Adobe
I'm also subscribed there, and the recent spike in reported accounts seems to be sourced from the same individual. Apparently, this person found a way to get a hold of a lot breached data. (Maybe working undercover?) From: Blake M Bourgeois <bbour53 () LSU EDU<mailto:bbour53 () LSU EDU>>
For what it is worth, we saw the data in the breach being leveraged as early as May 2018 and were able to finally confirm that the large number of account compromises then were a result of this breach.
I've observed that these data leak notifications get less useful over time. Not only do many accounts go extinct (most of the accounts I get notified about don't exist anymore), but action on earlier breach notices also protect from some later breaches. I see a lot of overlap on accounts where the same user account shows up again and again. These leaked credentials are exploited though: some of the frequently reported leaked credentials also show up frequently in my auth failure logs. Joseph Tam <tam () math ubc ca<mailto:tam () math ubc ca>> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C0d96e027bc2a4b81a8de08d74028d8c1%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C637048416493435186&sdata=BdNGyBYMB5FrV%2Bv%2BszQdSpsFmUYlECXn%2BGH6LxovMrQ%3D&reserved=0> -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C0d96e027bc2a4b81a8de08d74028d8c1%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C637048416493435186&sdata=BdNGyBYMB5FrV%2Bv%2BszQdSpsFmUYlECXn%2BGH6LxovMrQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: Chegg Data Breach notification (Thanks to HIBP) King, Ronald A. (Oct 01)
- Re: Chegg Data Breach notification (Thanks to HIBP) Sonder, Henk E. (Oct 01)
- Re: Chegg Data Breach notification (Thanks to HIBP) King, Ronald A. (Oct 02)
- <Possible follow-ups>
- Re: Chegg Data Breach notification (Thanks to HIBP) Jon Miner (Oct 02)
- Re: Chegg Data Breach notification (Thanks to HIBP) McClenon, Brady (Oct 03)
- Re: Chegg Data Breach notification (Thanks to HIBP) Sonder, Henk E. (Oct 01)