What's the Deal with Publicly Posted Credentials?

USNH Cybersecurity has contracted with a variety of sources to provide information on credentials (usernames and passwords) associated with University wide students, Emeritus and staff that were collected in the breach of another company’s systems and posted in the public domain. USNH Cybersecurity research the information provided to determine if action is necessary.  In some cases no action is required because the account holder has changed their password between notifications.  Subsequently, if you reuse your University email addresses, usernames and passwords publicly such as for a LinkedIn account and LinkedIn suffers a breach involving stolen credentials, you will be required to change your password.  Therefore, practicing good credential hygiene can help reduce this risk to the University and is highly recommended by USNH Cybersecurity.  This will:

1. Limit exposure for the University; and

2. Decrease the likelihood of a password change due to an external breach

When these alerts are received, the standard operating procedure is to secure the user’s account in order to prevent unauthorized access to university resources. 

 

The following FAQ is intended to address the most common questions received from users whose accounts have been secured because their university credentials were posted publicly.

How does Cybersecurity know the alert is legitimate?

The alerts Cybersecurity uses for these purposes are from trusted sources that may include large corporations, government agencies, and industry groups. 

Were my credentials stolen because of a breach of university systems?

Most alerts regarding publicly posted credentials impact a small number of users which does not point to a breach of any university system.  Each notification is reviewed to determine if it indicates the likelihood that a more significant university-centered event has occurred and appropriate action would be taken if there was reason to suspect any kind of breach.

How did someone get my university credentials?

Unfortunately, there is rarely enough information provided in the alerts we receive (or on the sites where stolen credentials are posted) to answer this question.  There are a variety of ways that user credentials can be stolen including phishing attacks, data breaches at other companies (like Yahoo and LinkedIn), and credential harvesting malware.   

How do I know what password was exposed?

Unfortunately, there is not enough information provided in the alert to determine when the credentials were harvested and the exposed password is not provided in the alert for security reasons.  This means there is no way to know for certain which password associated with your university username or email was posted publicly.

For this reason, we require that the password associated with any potentially compromised university account be changed.

Why do I have to change my university password if I have never used my university email or password for any other account?

Unfortunately, because we are unable to determine how your credentials were harvested we cannot guarantee that those posted are not representative of your current university password.  Additionally, the alerts provide a university username or email -- they do not provide the password that was publicly posted in conjunction with that university identifier.  This means there is no way to know for certain that the password posted with your university username or email address is NOT your current password. 

For these reasons, we require that the password associated with any potentially compromised university account be changed.

 

Can you tell me which password was posted publicly so I know whether or not I need to change it?

The alerts we receive do not provide the publicly posted password associated with your university username or email, as that would further compromise the security of any accounts utilizing that password. 

For this reason, we cannot provide you with the publicly posted password and we highly recommend that you change the password of any account where you have used the same password as a password used with your university account, once you have changed the password for your university account. 

How do I regain access to my account?

When a university user account is secured, it cannot be accessed until the user contacts the Iappropriate IT Help Desk. 

Help Desk Plymouth State University (PSU)

Enterprise Technology & Services

Phone: (603) 535-2929 

Email: helpdesk@plymouth.edu

Search our How-to Documentation at:  http://go.plymouth.edu/support

 

Help Desk Keene State College (KSC)

Enterprise Technology & Services

Phone: (603) 358-2532

Email: helpdesk@keene.edu

 

Help Desk University of New Hampshire (UNH)

Enterprise Technology & Services

Phone: (603) 862-4242

Search our How-to Documentation at:  https://td.unh.edu/TDClient/KB

Submit  a Support Ticket  or check the Status of an Existing Request 

 

Help Desk Granite State College

Enterprise Technology & Services

Phone: 1-800-372-4270

Email: GSC.Help@granite.edu

Submit a Help Request 

 

Best Practices for Protecting Your University Credentials
or
How to Avoid Having to Change Your University Password More Often than is Required by Policy

  • Don’t use your university email as the username for any account not associated with University resources.
  • Provide a personal email as the email address associated with any non-university account.
  • Do not use the same password for more than one account.
  • Do not use the same password for work accounts and personal accounts, but really - do not use the same password for more than one account.
  • Keep a segregation between your business and personal online presence.
  • Learn how to spot phishing emails and get in the habit of checking The Phishbowl before responding to any emails that seem suspicious.
  • Make sure all devices you use to conduct university business have up-to-date anti-malware software installed and that each device is being scanned on a regular basis.
  • Make sure all devices you use to conduct university business are receiving operating system updates and that those updates are being applied on a regular basis.

Questions about publicly posted credentials can be submitted to ISS here

Details

Article ID: 1394
Created
Fri 7/19/19 6:03 PM
Modified
Thu 7/2/20 12:29 PM