Educause Security Discussion mailing list archives
Re: Chegg Data Breach notification (Thanks to HIBP)
From: Frank Barton <bartonf () HUSSON EDU>
Date: Mon, 23 Sep 2019 12:48:17 -0400
I think Garrett is looking the the raw passwords, not just the list of users included. I'm also not sure why that information would be useful HIBP is great for finding out when accounts are on lists, I'm not sure that I would want to have the passwords that were compromised. HIBP also has an API where passwords can be securely hashed and compared to check if they have been seen in any breach. (it doesn't specify exactly which breach it was found in, just that it is "out there somewhere" Frank On Mon, Sep 23, 2019 at 12:35 PM Jim A. Bole <jbole () stevenson edu> wrote:
Garrett, Someone can sign up for your domain(s) on HIBP. Once you do you’ll get notifications as well as a dump of all accounts associated with your domain(s). Jim Bole Director of Information Security *Stevenson University* 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Garrett McManaway *Sent:* Monday, September 23, 2019 11:52 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: Chegg Data Breach notification (Thanks to HIBP) ------------------------------ Does anyone have the raw password dump or able to point me to where it exist? Garrett McManaway CISO & Sr. Director C&IT - Information Security and Compliance Wayne State University Phone: 313-577-3454 *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Frank Barton *Sent:* Monday, September 23, 2019 9:21 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) Just to 'close the loop' on this, we're seeing so many attacks based on the chegg list right now that it isn't even funny. luckily many of them are failing, but we're seeing a good number of successful 'password reuse' attacks that we can confirm are linked directly to the chegg list. Frank On Fri, Aug 16, 2019 at 7:17 PM Joseph Tam <tam () math ubc ca> wrote: (Speaking as someone who deals with a few hundred, not a few thousand accounts.) Frank Barton <bartonf () HUSSON EDU> writes:Are you notifying impacted users?Yes. I make reference to the most comprehensive sites I can find that explain the data breach -- disturbingly, some vendors not very forthcoming about it-- as well as general security advice on password diversifiction, identity fraud, etc.Are you requiring a password reset for campus systems?No. Unless you have evidence that the same password is being used, I rely on the recipient to judge for themselves what are appropriate actions. Forcing people to change their password based on paranoia, like frequent password rotation, is counterproductive. Ken Connelly <ken.connelly () UNI EDU> writes:For all similar reports that include a password in the stolen data, we send this message to the affected accounts.These breaches leak all sorts of data, and hashed passwords may not be as damaging as attempts at identity fraud, so I notify users about that as well. (In sig)Any request to divulge your UNI password via e-mail is fraudulent!Most phish will try and instruct you to enter it into a web form, but making this distinction in a short sig is doomed to failure. Reducing security to a slogan is the opposite of what you want. "Jim A. Bole" <jbole () STEVENSON EDU> writes:We subscribe to haveibeenpwned.com<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhaveibeenpwned.com&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C6e1b1f09cdb442eeeab208d7403def22%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637048507061430402&sdata=uz%2Fki2PLbtlsMXmAsF3qNZFaWplsXjrsoccm6MNNSco%3D&reserved=0>'s domain search notification service. We='ve seen a steady increase in notifications around these types ofservices:- Chegg - Canva - AdobeI'm also subscribed there, and the recent spike in reported accounts seems to be sourced from the same individual. Apparently, this person found a way to get a hold of a lot breached data. (Maybe working undercover?) From: Blake M Bourgeois <bbour53 () LSU EDU>For what it is worth, we saw the data in the breach being leveraged as early as May 2018 and were able to finally confirm that the large number of account compromises then were a result of this breach.I've observed that these data leak notifications get less useful over time. Not only do many accounts go extinct (most of the accounts I get notified about don't exist anymore), but action on earlier breach notices also protect from some later breaches. I see a lot of overlap on accounts where the same user account shows up again and again. These leaked credentials are exploited though: some of the frequently reported leaked credentials also show up frequently in my auth failure logs. Joseph Tam <tam () math ubc ca> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C6e1b1f09cdb442eeeab208d7403def22%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637048507061440396&sdata=frgmLqJmtdgampHheVehFFmJCRsUFKBn55F8Ce86eSg%3D&reserved=0> -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C6e1b1f09cdb442eeeab208d7403def22%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637048507061440396&sdata=frgmLqJmtdgampHheVehFFmJCRsUFKBn55F8Ce86eSg%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C6e1b1f09cdb442eeeab208d7403def22%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637048507061440396&sdata=frgmLqJmtdgampHheVehFFmJCRsUFKBn55F8Ce86eSg%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: Chegg Data Breach notification (Thanks to HIBP), (continued)
- Re: Chegg Data Breach notification (Thanks to HIBP) John McCabe (Sep 24)
- Re: Chegg Data Breach notification (Thanks to HIBP) Manjak, Martin (Sep 24)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 24)
- Re: Chegg Data Breach notification (Thanks to HIBP) Matt Armstrong (Sep 24)
- Re: Chegg Data Breach notification (Thanks to HIBP) Joseph Tam (Aug 16)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Garrett McManaway (Sep 23)
- Re: [EXTERNAL] Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) Zachary Yamada (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Jim A. Bole (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Hagan, Sean (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Hagan, Sean (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Garrett McManaway (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Bukowski, David (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Brandon Hume (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) John McCabe (Sep 24)
- Re: Chegg Data Breach notification (Thanks to HIBP) Tanner, Andrea (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)