Re: [EXTERNAL] Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

["Theodore J. August" <Theodore.August () SALVE EDU>]

Hi Marty,

Ahh Chegg, the gift that keeps on giving…

We are an Office 365 shop as well.  IMAP, POP3, and SMTP all get around MFA because most clients use basic 
authentication, and Microsoft will allow a check down to basic authentication on these protocols if they are enabled.  
We were having a large number of issues with spray attacks and credential stuffing attacks about a year ago, so we 
disabled legacy protocols at both the mailbox level in Exchange and by using Azure AD conditional access policies, with 
exceptions only made for on-premise use of these protocols on certain service accounts.  We were lucky enough to only 
have less than 1% of logons using these legacy protocols, so they were turned off without announcement or fanfare, and 
we assisted users to alternative methods of checking mail if they did call in.  I’d be happy to chat off list on what 
we’ve done to secure Office 365.  Thankfully as others have mentioned, Microsoft will be turning off basic 
authentication sometime in 2020, so that should help against these attacks when they fail.

We’ve had a couple of re-compromises as well.  We feel like it was poor password selection when it happened.  We’re 
seeing 30-40 logon attempts with only one being successful.

Thanks,

--
Ted August
Network Administrator
Office of Information Technology
Salve Regina University
(401) 341-2499 | theodore.august () salve edu<mailto:theodore.august () salve edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Manjak, Martin" 
<mmanjak () ALBANY EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, September 30, 2019 at 2:58 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

We’ve had at least one re-compromise. The student made a predictable change to their Chegg-exposed pwd, and the perps 
were able to circumvent MFA on the account via IMAP.

It’s not entirely clear to me how these other protocols are accessible if the account has 2F enabled on it. I thought 
clients that did not support modern auth required an app password.

We’re an O365 shop.

Marty Manjak
CISO
University at Albany

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Maciej Krupa
Sent: Monday, September 30, 2019 2:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

For the folks that experienced a ‘re-compromise’, do you have legacy protocols (POP3, IMAP and SMTP) turned off? These 
protocols will circumvent MFA. Also, is the password of the re-compromised account the same as the password from the 
Chegg compromise?

We didn’t experience a re-compromises yet but I am curious what others are experiencing and see what else we need to 
look out for.

Maciej Krupa
Director
Data Center Infrastructure and
Network Operations Services
St. Francis College
718-489-3482
mkrupa () sfc edu<mailto:mkrupa () sfc edu>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of King, Ronald A.
Sent: Friday, September 27, 2019 1:25 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

We have also had one re-compromise.

Ronald King
Chief Information Security Officer

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C966015b92eb64221685c08d745d82341%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637054666937079724&sdata=QXDUoOtC%2FMQwCgzCX1k9jqilOs%2BXxpY0SQhqSRvKCxI%3D&reserved=0>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Frank Barton
Sent: Thursday, September 26, 2019 2:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

Andrea, we just had our first confirmed 're-compromise' and are starting down the road of trying to figure out how it 
happened. Do you have any insight that you are willing to share on how the accounts were re-compromised?

Frank

On Mon, Sep 23, 2019 at 12:10 PM Tanner, Andrea <atanner3 () ccbcmd edu<mailto:atanner3 () ccbcmd edu>> wrote:
Hi everyone,

Our IA team said that we have had a few accounts this past week where a compromised account password was reset by the 
student but the account again gets compromised.  We don’t allow password reuse for a specific number of past passwords. 
 I wonder if ours is different behavior than what you folks are noticing with the Chegg breach accounts.  Has anyone 
else been seeing this recompromise, too?

Side note: It might be we are dealing with a compromise and malware combination attack or we have somewhere on our 
campus where we have malware installed that we must eradicate.  Lots of work to do!

Andrea
Pronouns: She/Her/Hers

Andrea Tanner, M.S. | Senior Director, Technology Support | Community College of Baltimore County
Phone: 443-840-4155  | Catonsville Campus CLLB 104B       | atanner3 () ccbcmd edu<mailto:atanner3 () ccbcmd edu>
CCBC. The incredible value of education.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Frank Barton
Sent: Monday, September 23, 2019 9:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

CAUTION: This email originated from outside of CCBC. Do not click links or open attachments unless you recognize the 
sender and know the content is safe.

Just to 'close the loop' on this, we're seeing so many attacks based on the chegg list right now that it isn't even 
funny. luckily many of them are failing, but we're seeing a good number of successful 'password reuse' attacks that we 
can confirm are linked directly to the chegg list.

Frank

On Fri, Aug 16, 2019 at 7:17 PM Joseph Tam <tam () math ubc ca<mailto:tam () math ubc ca>> wrote:
(Speaking as someone who deals with a few hundred, not a few thousand
accounts.)

Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> writes:

> Are you notifying impacted users?

Yes.  I make reference to the most comprehensive sites I can find that
explain the data breach -- disturbingly, some vendors not very forthcoming
about it--  as well as general security advice on password diversifiction,
identity fraud, etc.

> Are you requiring a password reset for campus systems?

No.  Unless you have evidence that the same password is being used, I rely
on the recipient to judge for themselves what are appropriate actions.
Forcing people to change their password based on paranoia, like frequent
password rotation, is counterproductive.

Ken Connelly <ken.connelly () UNI EDU<mailto:ken.connelly () UNI EDU>> writes:

> For all similar reports that include a password in the
> stolen data, we send this message to the affected accounts.

These breaches leak all sorts of data, and hashed passwords may not be
as damaging as attempts at identity fraud, so I notify users about that
as well.

(In sig)
> Any request to divulge your UNI password via e-mail is fraudulent!

Most phish will try and instruct you to enter it into a web form,
but making this distinction in a short sig is doomed to failure.
Reducing security to a slogan is the opposite of what you want.

"Jim A. Bole" <jbole () STEVENSON EDU<mailto:jbole () STEVENSON EDU>> writes:

> We subscribe to 
> haveibeenpwned.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhaveibeenpwned.com&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C966015b92eb64221685c08d745d82341%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637054666937079724&sdata=c3NlphbbGgpahgjYn1S2g55HHRNJQrIA4D7O9i8Yjys%3D&reserved=0>'s
>  domain search notification service. We=
> 've seen a steady increase in notifications around these types of services:
> -          Chegg
> -          Canva
> -          Adobe

I'm also subscribed there, and the recent spike in reported accounts
seems to be sourced from the same individual.  Apparently, this person
found a way to get a hold of a lot breached data.  (Maybe working
undercover?)

From:    Blake M Bourgeois <bbour53 () LSU EDU<mailto:bbour53 () LSU EDU>>

> For what it is worth, we saw the data in the breach being leveraged as
> early as May 2018 and were able to finally confirm that the large
> number of account compromises then were a result of this breach.

I've observed that these data leak notifications get less useful over
time.  Not only do many accounts go extinct (most of the accounts I
get notified about don't exist anymore), but action on earlier breach
notices also protect from some later breaches.  I see a lot of overlap
on accounts where the same user account shows up again and again.

These leaked credentials are exploited though: some of the frequently
reported leaked credentials also show up frequently in my auth failure
logs.

Joseph Tam <tam () math ubc ca<mailto:tam () math ubc ca>>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C966015b92eb64221685c08d745d82341%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637054666937089722&sdata=5fKS7jLrrOISsVVIh8n9QYcZ1R9QBa8P71DFA%2F75obY%3D&reserved=0>


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C966015b92eb64221685c08d745d82341%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637054666937089722&sdata=5fKS7jLrrOISsVVIh8n9QYcZ1R9QBa8P71DFA%2F75obY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C966015b92eb64221685c08d745d82341%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637054666937099719&sdata=6FhI3M3hZ2mST2pf%2FSzDdofkBc%2BI2dwEtMQsfzgiRLU%3D&reserved=0>


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C966015b92eb64221685c08d745d82341%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637054666937099719&sdata=6FhI3M3hZ2mST2pf%2FSzDdofkBc%2BI2dwEtMQsfzgiRLU%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C966015b92eb64221685c08d745d82341%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637054666937109705&sdata=Br1EI1HkJ36Scb6oPfRuVeQjjHO8E02bTsyXw5Bnxyw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C966015b92eb64221685c08d745d82341%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637054666937109705&sdata=Br1EI1HkJ36Scb6oPfRuVeQjjHO8E02bTsyXw5Bnxyw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C966015b92eb64221685c08d745d82341%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637054666937119700&sdata=cfJBDE81EqeafcWJU4NsnHBE7sEMzxDsCU9SHjS2L8I%3D&reserved=0>

*** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, 
clicking on links or opening attachments. ***

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community