Skip to main content

Wednesday, September 18, 2019

From the Interim CIO and Vice President for Enrollment, Marketing, and Communications

Posted: Wednesday, May 30, 2018

Information Security Awareness: Compromised UB E-mail Accounts

The University at Buffalo has reported that some university e-mail accounts have been compromised. While the university has indicated a probable cause, it is still not completely sure what happened. UB’s Spectrum has also posted an article about the compromised accounts, and WIVB has posted information as well.

Here’s what is being reported and how you can learn to avoid the same trap. The university believes the account credentials of faculty, students, and alumni were compromised because account holders used their UB usernames and passwords for another site or service. Please read about safe computing practices in the Buffalo State RITE Knowledge Base.

It’s a bit of work to stay secure online with connected electronic devices. But staying secure must be a top priority when thinking about registering for online services or completing forms with private information. Thinking there is nothing to lose is a HUGE mistake. When institutional credentials are used for other services, the entire campus may be compromised.

  1. Do not use the same password for more than one account.
  2. Learn to create a passphrase as your password; use an original passphrase or password for each account you have. See Tips for Creating Secure Password/Passphrase.
  3. While you may need to use your Buffalo State e-mail address to register for a service on occasion (e.g., discounted cell service, subscriptions to the New York Times or Washington Post, or purchases from Dell or Apple), do not use your Buffalo State password with these accounts. Use a unique password for every account you have.
  4. Regularly check https://haveibeenpwned.com. The owner of this site looks for pastes (stolen credentials pasted on the dark web) and breaches all over the world. Paste and breach information is reported on this site. When you arrive at the site, type in your e-mail address (no password is needed). If your e-mail address is part of a breach or paste, it will come up on this site. Type in each e-mail address you own and see if you’ve been pwned. If you’ve been pwned, a list of sites that have exposed your credentials will come up. Change your password for every account that has been pwned.
Loading