Notification of .edu server breach mistaken for phishing email

Educause requires password changes … and is criticized for sending ‘suspicious’ email

The administrators of 7,000 university websites are being required to change their .edu domain account passwords after a security breach ... one that was reported to them by Educause, the non-profit higher-education IT group that administers .edu, via an email that some complained bore the markings of a phishing attempt.


First the breach. From a statement issued yesterday by Garth Jordan, vice president of operations for Educause:

"On February 5th, EDUCAUSE discovered that the server that maintains the .edu domain information and our member profile information was breached. The breach may have compromised .edu domain passwords and information contained in individual EDUCAUSE website profiles, including names, titles, e-mail addresses, usernames, and passwords. Based on our investigation to date, we do not believe the breach included access to credit card data, financial accounts, or other sensitive information.


(2013’s 25 Geekiest 25th Anniversaries)


"EDUCAUSE took immediate steps to contain this breach and we are working with Federal law enforcement, investigators, and security experts to make sure this incident is properly addressed. Additional security measures have been implemented to help prevent any future occurrences.

"As a precaution, we are proceeding as though all individual EDUCAUSE website profiles and all .edu domain holders might have been impacted. We have notified via email all .edu domain holders and all individuals with website profiles about the breach and requested that they change their passwords. All that is required from those impacted by this breach is a password re-set."

More information from Educause and instructions for changing the passwords can be found here.


That initial Educause breach notification, however, had some treading carefully, as the fact that it included links to a third-party website made it "impossible to differentiate from a phishing e-mail," according to one member.

Another urging caution was Purdue computer science professor and security expert Gene Spafford, who in a listserv reply yesterday called the email "a reasonably good fake and some people are likely to fall for it."

Today Spafford expounded on his concern in an email exchange with me.

"Organizations should structure their email to reinforce avoidance of 'phishing' email," he said. "Thus, including clickable links and using links to unidentified third parties should be avoided, because these are standard in phishing email.

"The EDUCAUSE (password) reset message was especially egregious because it so resembled a standard phishing approach: 'Your password needs to be reset now!  Click on the following!' where the embedded link went to a third-party site with 'educause' embedded in the URL along with a sequence of meaningless characters. Given what is known about phishing and user behavior, this was bad form.  For an education-oriented organization to do this is particularly troubling."

In response, a spokesman for the group tells me: "EDUCAUSE understands their member concerns about phishing, and responded to alleviate their concerns."

By "responded" he means they assured those who expressed concern that the email was legitimate.

Hopefully, there won't be a need to do so next time around, if, unfortunately, there is a next time.

Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.


Copyright © 2013 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022