Educause Security Discussion mailing list archives

Re: Chegg Data Breach notification (Thanks to HIBP)

From: Ramon Rentas <rentas () MACALESTER EDU>
Date: Fri, 27 Sep 2019 10:32:15 -0500

Macalester College is a member of REN-ISAC https://www.ren-isac.net/

REN-ISAC provided Macalester with a list (link to a CSV) of all the
compromised accounts under our domain.  The list contained emails, and
passwords.  We used that list to created a mail merge to contact the owners
of the compromised accounts.

---

Ramón Rentas

Associate Director for Infrastructure, Security & Enterprise Services

Information Technology Services

rentas () macalester edu

1600 Grand Avenue

Saint Paul, MN 55105 USA

[image: mac-sec-horizontal-logo-150w.jpg]
                                                        *Never email your
password to anyone!*

The information transmitted may contain confidential material and is
intended only for the person or entity to which it is addressed.  Any
review, retransmission, dissemination or other use of, or taking of any
action by persons or entities other than the intended recipient is
prohibited.  If you are not the intended recipient, please delete the
information from your system and contact the sender.  The opinions
expressed are those of the sender, and not necessarily those of Macalester
College.


On Thu, Sep 26, 2019 at 1:47 PM Hart, Michael <mhart20 () msudenver edu> wrote:

We’ve identified accounts where new mobile device associations were set
up.  We’re changing passwords, unsyncing all mobile devices from
compromised accounts, enabling MFA, and then re-enabling.  Hopefully this
will stop the re-compromise indicators we’ve also seen.



*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Frank Barton
*Sent:* Thursday, September 26, 2019 12:45 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)



Andrea, we just had our first confirmed 're-compromise' and are starting
down the road of trying to figure out how it happened. Do you have any
insight that you are willing to share on how the accounts were
re-compromised?



Frank



On Mon, Sep 23, 2019 at 12:10 PM Tanner, Andrea <atanner3 () ccbcmd edu>
wrote:

Hi everyone,



Our IA team said that we have had a few accounts this past week where a
compromised account password was reset by the student but the account again
gets compromised.  We don’t allow password reuse for a specific number of
past passwords.  I wonder if ours is different behavior than what you folks
are noticing with the Chegg breach accounts.  Has anyone else been seeing
this recompromise, too?



Side note: It might be we are dealing with a compromise and malware
combination attack or we have somewhere on our campus where we have malware
installed that we must eradicate.  Lots of work to do!



Andrea

*Pronouns: She/Her/Hers*



*Andrea Tanner, M.S. *| Senior Director, Technology Support | Community
College of Baltimore County
Phone: *443-840-4155 * | Catonsville Campus CLLB 104B       |
atanner3 () ccbcmd edu
*CCBC. The incredible value of education.*



*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Frank Barton
*Sent:* Monday, September 23, 2019 9:21 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)



CAUTION: This email originated from outside of CCBC. Do not click links or
open attachments unless you recognize the sender and know the content is
safe.



Just to 'close the loop' on this, we're seeing so many attacks based on
the chegg list right now that it isn't even funny. luckily many of them are
failing, but we're seeing a good number of successful 'password reuse'
attacks that we can confirm are linked directly to the chegg list.



Frank



On Fri, Aug 16, 2019 at 7:17 PM Joseph Tam <tam () math ubc ca> wrote:

(Speaking as someone who deals with a few hundred, not a few thousand
accounts.)

Frank Barton <bartonf () HUSSON EDU> writes:

Are you notifying impacted users?


Yes.  I make reference to the most comprehensive sites I can find that
explain the data breach -- disturbingly, some vendors not very forthcoming
about it--  as well as general security advice on password diversifiction,
identity fraud, etc.

Are you requiring a password reset for campus systems?


No.  Unless you have evidence that the same password is being used, I rely
on the recipient to judge for themselves what are appropriate actions.
Forcing people to change their password based on paranoia, like frequent
password rotation, is counterproductive.

Ken Connelly <ken.connelly () UNI EDU> writes:

For all similar reports that include a password in the
stolen data, we send this message to the affected accounts.


These breaches leak all sorts of data, and hashed passwords may not be
as damaging as attempts at identity fraud, so I notify users about that
as well.

(In sig)

Any request to divulge your UNI password via e-mail is fraudulent!


Most phish will try and instruct you to enter it into a web form,
but making this distinction in a short sig is doomed to failure.
Reducing security to a slogan is the opposite of what you want.

"Jim A. Bole" <jbole () STEVENSON EDU> writes:

We subscribe to haveibeenpwned.com

<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhaveibeenpwned.com&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C380509e735d347f6fb3c08d742b1aff7%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637051203275599132&sdata=Zvkd26fCKBzUoDQrLlePlpytvR27Rz92t7QAmeOQLBw%3D&reserved=0>'s
domain search notification service. We=

've seen a steady increase in notifications around these types of

services:

-          Chegg
-          Canva
-          Adobe


I'm also subscribed there, and the recent spike in reported accounts
seems to be sourced from the same individual.  Apparently, this person
found a way to get a hold of a lot breached data.  (Maybe working
undercover?)

From:    Blake M Bourgeois <bbour53 () LSU EDU>

For what it is worth, we saw the data in the breach being leveraged as
early as May 2018 and were able to finally confirm that the large
number of account compromises then were a result of this breach.


I've observed that these data leak notifications get less useful over
time.  Not only do many accounts go extinct (most of the accounts I
get notified about don't exist anymore), but action on earlier breach
notices also protect from some later breaches.  I see a lot of overlap
on accounts where the same user account shows up again and again.

These leaked credentials are exploited though: some of the frequently
reported leaked credentials also show up frequently in my auth failure
logs.

Joseph Tam <tam () math ubc ca>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C380509e735d347f6fb3c08d742b1aff7%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637051203275609125&sdata=4b9kAXZR2hdSwhG%2BOgWYCcpircZLwY6gHWx3fJY4NUo%3D&reserved=0>




--

Frank Barton, MBA

Security+, ACMT, MCP

IT Systems Administrator

Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C380509e735d347f6fb3c08d742b1aff7%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637051203275609125&sdata=4b9kAXZR2hdSwhG%2BOgWYCcpircZLwY6gHWx3fJY4NUo%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C380509e735d347f6fb3c08d742b1aff7%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637051203275619117&sdata=MZBzgTmXHuhyuo%2BVcISsQuOybcvk%2F9v8p81wyG2uBZA%3D&reserved=0>




--

Frank Barton, MBA

Security+, ACMT, MCP

IT Systems Administrator

Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmhart20%40MSUDENVER.EDU%7C380509e735d347f6fb3c08d742b1aff7%7C03309ca417334af9a73cf18cc841325c%7C1%7C0%7C637051203275619117&sdata=MZBzgTmXHuhyuo%2BVcISsQuOybcvk%2F9v8p81wyG2uBZA%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Re: Chegg Data Breach notification (Thanks to HIBP), (continued)
- - - Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Hagan, Sean (Sep 23)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Garrett McManaway (Sep 23)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Bukowski, David (Sep 23)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Brandon Hume (Sep 23)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Tanner, Andrea (Sep 23)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 26)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Hart, Michael (Sep 26)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Ramon Rentas (Sep 27)
    - Re: Chegg Data Breach notification (Thanks to HIBP) King, Ronald A. (Sep 27)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Maciej Krupa (Sep 30)
    - Re: Chegg Data Breach notification (Thanks to HIBP) Manjak, Martin (Sep 30)
    - Re: [EXTERNAL]Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) Stromer, Wade (Sep 30)
- Re: Chegg Data Breach notification (Thanks to HIBP) Theodore J. August (Sep 24)