InfoSec Blog - My Account is Included in an External Data Breach...What Does That Mean?!

January 30th, 2019

 

What is an External Data Breach?

An external breach is an incident where data is inadvertently exposed in a vulnerable system due to a security weakness. The Information Security team subscribes to a threat intelligence service which alerts us when @uoguelph.ca email addresses appear in one of these breaches.  We then contact the affected users to make sure they are aware of the breach, and if passwords were exposed, we may require the affected users to change their password, or simply recommend a password change to protect their account.  

 

Why Should I Care?

In 2018 there were over 5,200 reported public data breaches worldwide which included 7.8 billion user accounts. Included in those breaches were over 13,000 University of Guelph accounts! If scammers have access to your account credentials they can gather more information about you or potentially use that information to gain access to University data and systems. Our primary concern is around password reuse; security best practice is to use unique passwords for everything, however research shows that many of us still use the same password for all of our online accounts.  

 

How Do I Know That Your Breach Notification Message Isn't a Scam?

Information Security will never ask you to provide your password or other personal information, and we try to avoid including links in our notifications. For example, if you are required to change your password, we will provide instructions on how to find the password change tool by searching on the University home page instead of providing a direct link. Finally, we always include our on-campus contact information, both our physical location (University Centre, Level 3, Room 367) and on-campus phone extension (ext. 58006) should you wish to verify the message or contact us with additional questions.

 

How Can I Check if My Other Accounts Are Part of Previous Data Breaches?

If you are interested in checking if your email address has ever been included in a data breach, go to https://haveibeenpwned.com/. This is an industry-recognized tool run by a prominent and trusted security researcher. Simply enter your email address and it will tell you if your account has been part of a data breach in the past - don't be shocked if you find that it has been part of one or more breaches over the past several years. While you are there you can also sign up for future notifications.  

The site also offers a tool to test the uniqueness of your password. Again, this is a trustworthy site, and they do not ask for any information to link to any passwords you test. When you enter a password, the site checks to see if that password has been exposed in any past data breach. For example, I tried a password that I have used in the past to register for an online site and this password was found in the database, and as a result I will no longer use that password again.  I also tried a password that I use for my email account, and because it was not in their database I feel confident that it remains secure.

 

What Can I Do to Protect My Accounts?

In general, everyone should follow these password best practices:

 

Written by: Chris Lee (Manager, Information Technology Services) and Stephen Willem (Manager, Information Security)