Re: Chegg Data Breach notification (Thanks to HIBP)

[John McCabe <john.mccabe01 () MANHATTAN EDU>]

I'm continually tracking down compromised accounts at my institution. We
use G Suite and regularly get alerts of suspicious behavior. Sometimes the
suspicious alert is a false positive. I do my best to detect false
negatives though as that's where my visibility can be at zero for a given
set of compromised accounts.

If you're looking for compromised accounts that your managed threat service
missed...

Some of the recent compromised accounts are used to register teamviewer.com
accounts. Look for emails from service-noreply () teamviewer com where the
subject is

TeamViewer帐户 - 电子邮件确认

. I've reported the accounts to teamviewer.com using
https://content.teamviewer.com/en/report-a-scam/ which is really not meant
for this purpose. If anyone has a better contact please share.

Separately I've noticed some of the compromised accounts have joined a
botnet and have done so using a method that is not new. The compromised
account sends an email to a reasonable domain such as gmail.com with a
message that includes the email address, password and the SMTP server. If
you can search over the message bodies (and your institution uses gmail)
then try this string

,smtp.gmail.com:465

on sent email. Yes include the leading comma.



Happy hunting,
John




On Fri, Aug 16, 2019 at 9:03 AM Frank Barton <bartonf () husson edu> wrote:

> Good morning folks,
>
> I'm sure a bunch of you got similar notifications this morning that
> $BIGNUM accounts at your domain were impacted by the April 2018 Chegg Data
> breach.
>
> We are looking at how we want to address this, as I'm sure that many
> students use the same password everywhere.
>
> have any of you decided how you are going to address this?
> Are you notifying impacted users?
> Are you requiring a password reset for campus systems?
>
> Thank You
> Frank
>
> --
> Frank Barton, MBA
> Security+, ACMT, MCP
> IT Systems Administrator
> Husson University
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
*John McCabe *

*Senior Information Security Manager & Data Protection OfficerInformation
Technology Services*
[image: Manhattan College Logo/Shield]
Riverdale, NY 10471
Phone: 718-862-6217
john.mccabe01 () manhattan edu
www.manhattan.edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community