Educause Security Discussion mailing list archives
Re: Chegg Data Breach notification (Thanks to HIBP)
From: Brandon Hume <brandon.hume () DAL CA>
Date: Mon, 23 Sep 2019 21:23:35 +0000
On 2019-09-23 4:33 p.m., Barton, Robert W. wrote: If they have done their work in some areas, but not others, the site password should be a hash anyway and thus of limited (no) use. Although, if the passwords are kept in a non-encrypted format, I can see where knowing what people are using for passwords could give you a good idea as to IF they are using good password hygiene/policy. According to reports the original dump had the passwords in MD5 format, so only one or two steps off from cleartext. I'm assuming the reason we're seeing this rush now is because some go-getter finally ran it through a rainbow table and put it out for the rest to swarm. I can testify that while there's been some weak passwords, I've also seen some very strong passwords taken. The quality of the password really doesn't mean much when the attacker sees it clear as day. The real issue is password re-use in this case, and that's probably the best direction to take when communicating. In the meanwhile... what's the high score? We're closing in on two hundred compromised accounts so far, two of which showed themselves while I was actually writing this message. And I have to say... while I've been a "cloud-resistant" individual, I have to admit O365's threat detection heuristics are really borderline magical. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: [EXTERNAL] Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP), (continued)
- Re: [EXTERNAL] Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) Zachary Yamada (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Jim A. Bole (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Hagan, Sean (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Hagan, Sean (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Garrett McManaway (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Bukowski, David (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Brandon Hume (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Tanner, Andrea (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Barton, Robert W. (Sep 23)
- Re: Chegg Data Breach notification (Thanks to HIBP) Frank Barton (Sep 26)
- Re: Chegg Data Breach notification (Thanks to HIBP) Hart, Michael (Sep 26)
- Re: Chegg Data Breach notification (Thanks to HIBP) Ramon Rentas (Sep 27)
- Re: Chegg Data Breach notification (Thanks to HIBP) King, Ronald A. (Sep 27)
- Re: Chegg Data Breach notification (Thanks to HIBP) Maciej Krupa (Sep 30)
- Re: Chegg Data Breach notification (Thanks to HIBP) Manjak, Martin (Sep 30)
- Re: [EXTERNAL]Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP) Stromer, Wade (Sep 30)