The University of Michigan Blames Password Leaks on Third-Party Data Breaches

University of Michigan Password Leak

On Friday, students at the University of Michigan (UM) were alerted about a list of login credentials that was floating around. The file was freely distributed, and it did indeed contain tens of thousands of pairs of @umich.edu email addresses and plaintext passwords. Some of the students took a look at the list, and they were frightened to find out that their login data was valid. Predictably, they initially laid the blame on the UM's doorstep, but it later turned out that the institution was not responsible for the leak in any way. In fact, it turned out that it was the students who could have done a lot more to protect themselves.

The login data was leaked during unrelated breaches

Shortly after the lists became public, the University of Michigan issued an official advisory, explaining that the leaked email addresses and passwords came from third-party data breaches. The university assured its students that its systems haven't been compromised and announced that it will reset passwords if it sees a real danger of unauthorized access.

After clearing up what had happened exactly, the advisory gave students some tips on how to boost their overall online security. It must be said that if students had heeded these tips before the list of passwords got published, the advisory would have been completely unnecessary.

How UM's students put themselves in danger

The list of usernames and passwords put UM's students at a very real risk of credential stuffing attacks. For those of you who don't know, in a credential stuffing attack, hackers take a large list of usernames and passwords stolen from one service and try them against multiple others. They hope that many people use the same credentials on many different websites, and the fact that credential stuffing is widely considered to be the best way to compromise a large number of accounts with minimum effort shows that their bet usually pays off.

It's common knowledge that the only way to stop credential stuffing attacks is to stop password reuse, but it's clear that this is easier said than done. This is why two-factor authentication exists.

The University of Michigan has thought about its students' security, and it has implemented a system that requires the user to answer a call, enter a code, or tap a push notification in order to log in successfully. Unfortunately, it's not enabled by default, and it's difficult to say how many of the affected students are using it.

We should probably touch upon the question of where the data is coming from as well. In its advisory, the University of Michigan mentioned three online service providers that have been breached in the past and could have acted as the source of the leaked email addresses and passwords: Chegg, LinkedIn, and Zynga. We should point out that no one has officially confirmed where the stolen data came from, but we'll go with these three providers to illustrate the point of how important it is to think about which email address you're using when you're registering an online account.

Chegg offers services in the sphere of education, and you can see how a student might use their University of Michigan email address to register for a Chegg account. LinkedIn is the world's most popular professional social network, and you might also be able to justify associating a profile there with an @umich.edu address.

Zynga, on the other hand, is a developer of online games. It asks you to register so that you can farm virtual vegetables or solve online crosswords. Using a university email address to create this type of account just doesn't seem like the right thing to do, and as you can see, it can also put your online security at risk.

The need to juggle so many online accounts have led some people to believe that we've completely lost control over our data. This is true only to a certain extent. When we need to communicate with people who are in a position to shape our future, we need to use official email addresses. On the other hand, when we expect updates from a time-wasting mobile game, we're probably better off using a throwaway email that we don't care too much about. After all, we mustn't forget that both the username and the password must be identical if a credential stuffing attack is to work.

By Duran
July 7, 2020
News
English
July 7, 2020
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

How To

Importing LastPass Data Into Cyclonis Password Manager

When designing a good product, you always have to have a clear goal in your mind. When we set off to create Cyclonis Password Manager, our aim was to make your online life easier. Forcing you to re-enter or paste all... Read more

March 20, 2018
Password Security

What data breaches cost? Three of the world's most expensive data breaches

You know what to do to minimize the chances of having your personal information posted on a hacking forum. You know how to look out for phishing pages, you have an up-to-date anti-malware program, and you only use... Read more

April 30, 2018
Tips

Three Important Questions About Data Breaches

It's no secret that security incidents happen every day. Information on large numbers of people is exposed, and in some cases, the effects on these people's lives are quite serious. A few questions pop up immediately.... Read more

April 5, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.