Educause Security Discussion mailing list archives
Re: Chegg Data Breach notification (Thanks to HIBP)
From: Matt Armstrong <marmstrong () MASTERS EDU>
Date: Tue, 24 Sep 2019 21:24:30 +0000
Robert, I’ve been working with the HIBP Domain Search exports, pulling down the JSON and manipulating the data with PowerShell. That allows me to do most of the things I could do with the API without paying for it. That said, it’s cheap, so it wouldn’t be a big deal to work with the API either. Most recently, I was able to pull a list of everyone from our organization from the Chegg breach with a small PowerShell one-liner and export it to a CSV. I’m sure there’s more that can be done, but I think it would generally be similar to what you can do with the API. Essentially, with the export, all the data is there, it’s just a matter of parsing it. Matt Armstrong Infrastructure Support Engineer The Master’s University From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Barton, Robert W. Sent: Tuesday, September 24, 2019 12:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) A slight tangent…anybody using the HIBP API? What have you done with it? We’re looking at now and just starting to test with it. Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of John McCabe Sent: Tuesday, September 24, 2019 1:25 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) I'm continually tracking down compromised accounts at my institution. We use G Suite and regularly get alerts of suspicious behavior. Sometimes the suspicious alert is a false positive. I do my best to detect false negatives though as that's where my visibility can be at zero for a given set of compromised accounts. If you're looking for compromised accounts that your managed threat service missed... Some of the recent compromised accounts are used to register teamviewer.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fteamviewer.com&data=02%7C01%7Cmarmstrong%40MASTERS.EDU%7Ce0a07c50e2f24bbe217d08d74123885f%7Cae8eae2dc0f643689e902c0bda55e80e%7C0%7C0%7C637049493189259736&sdata=th5uAN0d1TKtglJ90rO5jzxwPxuFj%2BpWjURTZAVPIdA%3D&reserved=0> accounts. Look for emails from service-noreply () teamviewer com<mailto:service-noreply () teamviewer com> where the subject is TeamViewer帐户 - 电子邮件确认 . I've reported the accounts to teamviewer.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fteamviewer.com&data=02%7C01%7Cmarmstrong%40MASTERS.EDU%7Ce0a07c50e2f24bbe217d08d74123885f%7Cae8eae2dc0f643689e902c0bda55e80e%7C0%7C0%7C637049493189259736&sdata=th5uAN0d1TKtglJ90rO5jzxwPxuFj%2BpWjURTZAVPIdA%3D&reserved=0> using https://content.teamviewer.com/en/report-a-scam/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcontent.teamviewer.com%2Fen%2Freport-a-scam%2F&data=02%7C01%7Cmarmstrong%40MASTERS.EDU%7Ce0a07c50e2f24bbe217d08d74123885f%7Cae8eae2dc0f643689e902c0bda55e80e%7C0%7C0%7C637049493189269723&sdata=xdCv2RRkURIGF%2FwEBhx9Ffg2BHhbZJNH5pGGbn0HADI%3D&reserved=0> which is really not meant for this purpose. If anyone has a better contact please share. Separately I've noticed some of the compromised accounts have joined a botnet and have done so using a method that is not new. The compromised account sends an email to a reasonable domain such as gmail.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgmail.com&data=02%7C01%7Cmarmstrong%40MASTERS.EDU%7Ce0a07c50e2f24bbe217d08d74123885f%7Cae8eae2dc0f643689e902c0bda55e80e%7C0%7C0%7C637049493189269723&sdata=BHB45Ul2d%2F7FaAew8ebXnHb0Oqpq5XR30igBVzmyVH8%3D&reserved=0> with a message that includes the email address, password and the SMTP server. If you can search over the message bodies (and your institution uses gmail) then try this string ,smtp.gmail.com:465<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsmtp.gmail.com%3A465&data=02%7C01%7Cmarmstrong%40MASTERS.EDU%7Ce0a07c50e2f24bbe217d08d74123885f%7Cae8eae2dc0f643689e902c0bda55e80e%7C0%7C0%7C637049493189269723&sdata=dWfL7QEDy5bH6i%2B%2BDAkTHwNeYCmpFxZ11uUfJ1wSmpw%3D&reserved=0> on sent email. Yes include the leading comma. Happy hunting, John On Fri, Aug 16, 2019 at 9:03 AM Frank Barton <bartonf () husson edu<mailto:bartonf () husson edu>> wrote: Good morning folks, I'm sure a bunch of you got similar notifications this morning that $BIGNUM accounts at your domain were impacted by the April 2018 Chegg Data breach. We are looking at how we want to address this, as I'm sure that many students use the same password everywhere. have any of you decided how you are going to address this? Are you notifying impacted users? Are you requiring a password reset for campus systems? Thank You Frank -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmarmstrong%40MASTERS.EDU%7Ce0a07c50e2f24bbe217d08d74123885f%7Cae8eae2dc0f643689e902c0bda55e80e%7C0%7C0%7C637049493189279721&sdata=Kgyf5ZCf7p4S3jkf2KwMbrbMfeQ2vCvO26P8dYBOym0%3D&reserved=0> -- John McCabe Senior Information Security Manager & Data Protection Officer Information Technology Services [Manhattan College Logo/Shield] Riverdale, NY 10471 Phone: 718-862-6217 john.mccabe01 () manhattan edu<mailto:john.mccabe01 () manhattan edu> www.manhattan.edu<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.manhattan.edu%2F&data=02%7C01%7Cmarmstrong%40MASTERS.EDU%7Ce0a07c50e2f24bbe217d08d74123885f%7Cae8eae2dc0f643689e902c0bda55e80e%7C0%7C0%7C637049493189279721&sdata=LbwFolBI1P9wpcTrmDrEv9TUNAnvwm7P9JrGyRogz%2FA%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmarmstrong%40MASTERS.EDU%7Ce0a07c50e2f24bbe217d08d74123885f%7Cae8eae2dc0f643689e902c0bda55e80e%7C0%7C0%7C637049493189289718&sdata=vM1m%2F0sgddZ7Fz33wFRO9iQmMtm2rOR6rh9QC2iyfB8%3D&reserved=0> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmarmstrong%40MASTERS.EDU%7Ce0a07c50e2f24bbe217d08d74123885f%7Cae8eae2dc0f643689e902c0bda55e80e%7C0%7C0%7C637049493189289718&sdata=vM1m%2F0sgddZ7Fz33wFRO9iQmMtm2rOR6rh9QC2iyfB8%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Aug 16)
- Re: Chegg Data Breach notification (Thanks to HIBP) Seidl, David (Aug 16)
- Re: Chegg Data Breach notification (Thanks to HIBP) Ken Connelly (Aug 16)
- Re: Chegg Data Breach notification (Thanks to HIBP) Blake M Bourgeois (Aug 16)
- Re: Chegg Data Breach notification (Thanks to HIBP) John McCabe (Sep 24)
- Re: Chegg Data Breach notification (Thanks to HIBP) Manjak, Martin (Sep 24)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 24)
- Re: Chegg Data Breach notification (Thanks to HIBP) Matt Armstrong (Sep 24)
- <Possible follow-ups>
- Re: Chegg Data Breach notification (Thanks to HIBP) Joseph Tam (Aug 16)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Garrett McManaway (Sep 23)
- Re: [EXTERNAL] Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) Zachary Yamada (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Jim A. Bole (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Hagan, Sean (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)