NY: 2,690 University of Buffalo logins stolen in data breach (updated)
Benjamin Blanchet reports:
Thousands of UB community members’ account information have been hacked.
On Friday, UB confirmed that J. Brice Bible, vice president and chief information officer, is investigating and responding to a breach of 2,690 UBITName accounts. The breach affects 1,800 student accounts, 862 alumni accounts and 28 faculty and staff accounts, according to UB spokesperson John Della Contrada.
“Our initial investigation indicates that the affected individuals’ login information was stolen when they visited a non-UB website and entered their university login information,” Della Contrada said in a statement.
Read more on The Spectrum.
Update: I had written to UB to ask whether this was a phishing attack or how so many UB members had their credentials compromised. A university spokesperson answered me:
1. We do not know specifically the external service that was compromised. It could be many. Students (and the population in general) signup for many services in their daily lives. The problem stems from the fact that affected students and others used the same username, email and password as they use at the university. Students are educated throughout the year not to use their university credentials when signing up for external services.
2. We haven’t correlated the third-party service to any phishing scheme. In fact, it may not have been from a phish at all but a legitimate service. We will attempt to determine specifics by reaching out to impacted users.
So that wasn’t exactly what I had expected to hear back, and I’m glad I asked. Hopefully, we’ll see an update at some point.