January 30th, 2019
What is an External Data Breach?
An external breach is an incident where data is inadvertently exposed in a vulnerable system due to a security weakness. The Information Security team subscribes to a threat intelligence service which alerts us when @uoguelph.ca email addresses appear in one of these breaches. We then contact the affected users to make sure they are aware of the breach, and if passwords were exposed, we may require the affected users to change their password, or simply recommend a password change to protect their account.
Why Should I Care?
In 2018 there were over 5,200 reported public data breaches worldwide which included 7.8 billion user accounts. Included in those breaches were over 13,000 University of Guelph accounts! If scammers have access to your account credentials they can gather more information about you or potentially use that information to gain access to University data and systems. Our primary concern is around password reuse; security best practice is to use unique passwords for everything, however research shows that many of us still use the same password for all of our online accounts.
How Do I Know That Your Breach Notification Message Isn't a Scam?
Information Security will never ask you to provide your password or other personal information, and we try to avoid including links in our notifications. For example, if you are required to change your password, we will provide instructions on how to find the password change tool by searching on the University home page instead of providing a direct link. Finally, we always include our on-campus contact information, both our physical location (University Centre, Level 3, Room 367) and on-campus phone extension (ext. 58006) should you wish to verify the message or contact us with additional questions.
How Can I Check if My Other Accounts Are Part of Previous Data Breaches?
If you are interested in checking if your email address has ever been included in a data breach, go to https://haveibeenpwned.com/ [1]. This is an industry-recognized tool run by a prominent and trusted security researcher. Simply enter your email address and it will tell you if your account has been part of a data breach in the past - don't be shocked if you find that it has been part of one or more breaches over the past several years. While you are there you can also sign up for future notifications.
The site also offers a tool to test the uniqueness of your password. Again, this is a trustworthy site, and they do not ask for any information to link to any passwords you test. When you enter a password, the site checks to see if that password has been exposed in any past data breach. For example, I tried a password that I have used in the past to register for an online site and this password was found in the database, and as a result I will no longer use that password again. I also tried a password that I use for my email account, and because it was not in their database I feel confident that it remains secure.
What Can I Do to Protect My Accounts?
In general, everyone should follow these password best practices:
- Ensure your University password is never used for any other accounts
- Use unique passwords for all of your online accounts - if that password is breached on one site, all of the other sites where it's used are also exposed
- Change your passwords on a frequent basis (see the InfoSec Blog "When Should I Change My Password? [2]")
- Always use a strong password or passphrase (see the InfoSec Blog “The Master Passphrase - One Password To Rule Them All [3]”)
- Consider using a password manager to keep track of all your passwords (see the InfoSec Blog “Getting Started With A Password Manager [4]”)
- Use two-step verification on sites that offer it (see the InfoSec Blog "Securing your Online Identities with Two-Factor Authentication [5]")
Written by: Chris Lee (Manager, Information Technology Services) and Stephen Willem (Manager, Information Security)