Re: Chegg Data Breach notification (Thanks to HIBP)

["Barton, Robert W." <bartonrt () LEWISU EDU>]

A slight tangent…anybody using the HIBP API?  What have you done with it?  We’re looking at now and just starting to 
test with it.

Robert W. Barton
Executive Director of Information Security and Policy
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of John McCabe
Sent: Tuesday, September 24, 2019 1:25 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

I'm continually tracking down compromised accounts at my institution. We use G Suite and regularly get alerts of 
suspicious behavior. Sometimes the suspicious alert is a false positive. I do my best to detect false negatives though 
as that's where my visibility can be at zero for a given set of compromised accounts.

If you're looking for compromised accounts that your managed threat service missed...

Some of the recent compromised accounts are used to register teamviewer.com<http://teamviewer.com> accounts. Look for 
emails from service-noreply () teamviewer com<mailto:service-noreply () teamviewer com> where the subject is

TeamViewer帐户 - 电子邮件确认

. I've reported the accounts to teamviewer.com<http://teamviewer.com> using 
https://content.teamviewer.com/en/report-a-scam/ which is really not meant for this purpose. If anyone has a better 
contact please share.

Separately I've noticed some of the compromised accounts have joined a botnet and have done so using a method that is 
not new. The compromised account sends an email to a reasonable domain such as gmail.com<http://gmail.com> with a 
message that includes the email address, password and the SMTP server. If you can search over the message bodies (and 
your institution uses gmail) then try this string

,smtp.gmail.com:465<http://smtp.gmail.com:465>

on sent email. Yes include the leading comma.



Happy hunting,
John




On Fri, Aug 16, 2019 at 9:03 AM Frank Barton <bartonf () husson edu<mailto:bartonf () husson edu>> wrote:
Good morning folks,

I'm sure a bunch of you got similar notifications this morning that $BIGNUM accounts at your domain were impacted by 
the April 2018 Chegg Data breach.

We are looking at how we want to address this, as I'm sure that many students use the same password everywhere.

have any of you decided how you are going to address this?
Are you notifying impacted users?
Are you requiring a password reset for campus systems?

Thank You
Frank

--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
John McCabe
Senior Information Security Manager & Data Protection Officer
Information Technology Services
[Manhattan College Logo/Shield]
Riverdale, NY 10471
Phone: 718-862-6217
john.mccabe01 () manhattan edu<mailto:john.mccabe01 () manhattan edu>
www.manhattan.edu<http://www.manhattan.edu/>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone at (815)-836-5950 and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community