ITS was recently notified by that several thousand luc.edu accounts were listed as part of the 1.4 billion aggregate database of usernames and clear text passwords that was found in an underground community forum.
What is it?
As hackers accumulate login and password information from phishing scams and other means, they generally either sell this information on the dark web or post it to allow other hackers to use it in more hacking attempts. ITS monitors these sites and notifies anyone whose account might be listed.
What Does This Mean for You?
Affected users received an email from the DataSecurity mailbox. For individuals that received the email, your luc.edu email account along with a password was listed in this large database. Although we believe that these passwords are expired it is possible that you may have used this password on other non-Loyola sites. As a precaution, ITS recommends that you change your Loyola password using password self-service and change your password as soon as possible. We would also recommend that you check for any non-Loyola sites where you may have used your LUC email address as a logon ID and change your password there as well.
What am I being asked to do?
Most of this information is acquired through phishing attacks. Attacks of this type will only continue if the attacker is getting useful information. No one at Loyola University Chicago will ever ask you for your password. It is not the practice at Loyola to provide links requesting credentials to re-enable or verify account information because of an issue with your email. If you see one of these emails, simply delete it. If you have followed through and provided your information go to the password self-service under links on the LUC home page and change your password. If you use your LUC email address at other non-LUC sites, it is recommended that you change your password there as well.
How Do I Help Prevent This?
Change your password regularly, especially on public sites that do not have a password expiration policy. Do not click on suspicious links in emails. Attackers prey upon one’s sense of urgency and panic to get users to click on links without checking where that link goes. Do not open email attachments unless you are expecting them and trust the person who sent them.