This week’s news of a data breach at eBay follows announcements about data compromises at Adobe, LinkedIn and Target over the last six months, although the data breaches may have begun as early as 2012. In March, Rice’s IT Security Office identified links between external data breaches, stolen NetID credentials, and this year’s significant increase in the number of compromised email accounts used in the distribution of phishing messages.
Like the tides, the ebb and flow of millions of phishing messages across the Internet have become a sort of background noise for everyone with an email address. But in January, a tidal wave of phishing messages from rice.edu addresses began flooding both internal rice.edu email addresses and external email accounts.
What is Phishing?
When an individual falls for a phishing message, their email account is compromised, and that account begins a new cycle of phishing distribution. All the contacts in that victim’s address book receive a phishing message which appears to be sent from their colleague, friend or family member. If those recipients respond, their email account and their contact lists are sucked into the vortex and the process begins again. Lists of compromised accounts and lists of contacts are posted on public bulletin boards where they are shared among other criminals who scoop up the new lists of potential victims for their own identity scams.
In addition to the tides of individual phishing messages, the big players in the Internet crime world are the hackers who breach a commercial, educational or non-profit database and harvest thousands of user addresses, passwords, birth dates and credit card numbers. Unfortunately, eBay is only the most recent victim of this large-scale break-in.
Why External Breaches Matter to Rice
The most threatening aspect of external database breaches for Rice is the compromise of Rice NetID addresses and passwords. Many Rice faculty, staff and students use their Rice NetID address AND Rice NetID password on external sites and systems. When an external system like eBay, Adobe or LinkedIn is breached, the Rice account details are then used to break into Rice resources. From accessing restricted library journals to sending new phishing messages from Rice email accounts, the threat to Rice’s data and systems is very real.
Even eBay recommends the avoidance of shared passwords across multiple sites or accounts.
“In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.”
http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords
Change Your NetID Password If You Haven’t in the Last Two Years
If you use your Rice NetID email address in external systems, be sure to use a different password than your Rice NetID password. If you ever used your NetID password in an external system – -including Google, Amazon, Facebook, Adobe, LinkedIn and eBay – – and if you have NOT changed that NetID password at Rice in the last two years, change your NetID password now.
The new MyNetID.rice.edu web site provides an easy way to manage your NetID password, but the Help Desk also assists Rice faculty, staff, students and retirees with their NetID questions.