IT asks community to change passwords after security breach
Security breaches at companies like LinkedIn and Adobe, along with over 100 compromised accounts since the beginning of the year, prompted Rice University Information Technologies to send an email on April 2 to all members of the Rice community asking them to change their passwords, according to Information Security Officer Marc Scarborough.
Security breaches at companies like LinkedIn and Adobe, along with over 100 compromised accounts since the beginning of the year, prompted Rice University Information Technologies to send an email on April 2 to all members of the Rice community asking them to change their passwords, according to Information Security Officer Marc Scarborough.
“In the past, you could pretty clearly see a correlation between a phishing [attempt] and compromised accounts sending lots of spam,” Scarborough said. “This year, we’ve seen some major differences. In January 2013, we saw 3 or 4 [compromises]. [This] January, we saw 40, [and] we don’t see the same correlation between phishing and the number of accounts.”
According to Scarborough, since people typically use the same username and password at multiple sites, a breech at any of those sites could be used to compromise the Rice account.
“Take the example of LinkedIn,” Scarborough said. “Their password database was compromised and they had notified their community in June 2012. We know a lot of people registered there with their Rice address and password. So when LinkedIn said, ‘Hey, these passwords are compromised and need to change,’ what we see is that the people at Rice did not change their password here, and those passwords aren’t just compromised in secret. They [were] compromised and published to the wild.”
Scarborough said Rice IT had correlational evidence that pointed towards a breach at LinkedIn as a large cause for the recent uptick in compromised accounts.
“Attackers are using the user ID of a Rice email address and the corresponding password to log into our systems,” Scarborough said. “For example, 28 out of 30 accounts [might be] created before June 2012. It’s [also] not one department. It’s faculty, staff, students, departments all over the map. The only piece that was consistent was that all of the accounts were created in our system before LinkedIn announced their breach. It might mean something, itmight not. But the fact that it’s almost exclusively accounts two years or older is interesting.”
Scarborough said a breach at Adobe late last year may have also contributed to the compromised accounts.
“Adobe is actually a big player in higher education,” Scarborough said. “A lot of people have Adobe accounts. We know that, again, people use the same password, and, again, people probably were forced to change their password at Adobe, but we [didn’t] see a mass change of passwords at Rice when Adobe announced their breach.”
According to Scarborough, the breach was exacerbated because Rice does not require routine password changes.
“If we had an annual password change and [the compromised accounts] really were because of LinkedIn, we probably wouldn’t be having this [conversation],” Scarborough said. “People don’t want to move forward and make the entire university go through a system where we have to change passwords with some frequency. If there’s a big enough breach, and I can show that so many Rice addresses, if it’s 500 or 300, [were compromised], I can probably make an argument to push a campus-wide password change, but we haven’t been able to say that.”
Scarborough said password managers like KeePass and OnePass are useful tools for preventing account compromises.
“I know it’s a challenge for people to choose different passwords, and we don’t want to go back to writing them behind keyboards like the old joke,” Scarborough said. “Password managers work. Most have integrated browser support and work well on mobile devices.”
Scarborough said he encourages anyone with questions to email him at marc.scarborough@rice.edu or call at 713-348-5735.
More from The Rice Thresher
Beer Bike canceled due to weather concerns
Beer Bike races were cut short on Saturday due to lightning warnings in the area.
Rice welcomes 7.8% of applicants to class of 2029
Rice accepted 2,852 applicants to the class of 2029 March 26, said Yvonne Romero, vice president for enrollment. This represents 7.8% of 36,777, the highest acceptance rate since 2022.
Engineering school celebrates 50th anniversary, invites students, alumni and speakers
The George R. Brown School of Engineering invited engineering alumni, students and faculty to celebrate its 50th anniversary March 28-29. The event, which took place in the Engineering Quad, included speakers, a drone show, alumni gatherings and other social events like mixers.
Please note All comments are eligible for publication by The Rice Thresher.