The Office of Information Security has identified a phishing threat in which the sender indicates they have compromising information about the recipient, offering as proof a plaintext password that may look familiar to the recipient. These passwords are NOT an indication that the sender has access to any special information about you. They are simply gathered from information widely available from past breaches of entities outside of the university. If you are still using one of these passwords, please change it immediately. The email will go on to describe the embarrassing information they claim to have, then demand a cash payment to keep that information secret. The sender of these malicious emails does not have the personal information they claim to have. Below, you will find an example of one of these messages.
Checking Your Accounts for Breaches
If you would like to check your email accounts for past breeches that may have revealed personal information or passwords, the website Have I Been Pwned offers a simple tool that will check your email addresses for compromises. Please follow the link below if you would like to check your email addresses.
Protecting Your Accounts Against Future Breaches
Using a reputable password manager is another way to alleviate these types of concerns. Some password managers even check databases like Have I Been Pwned for account breaches, then notify users when they need to update a password as a result of a breach. You can learn more by reading our recent article about password managers.
If you receive an e-mail such as this or any other suspected phishing attempt, please do not click on any links or download any files from the e-mail. Simply forward the e-mail to email@example.com and delete the e-mail from your inbox.
If you have additional questions or concerns, please reach out to us at the Office of Information Security at firstname.lastname@example.org. We appreciate all that you do to keep our university secure.