What's the Deal with Publicly Posted Credentials?

Summary

The following FAQ is intended to address the most common questions received from users whose accounts have been secured because their university credentials were posted publicly. 

USNH Cybersecurity has contracted with a variety of sources to provide information on credentials (usernames and passwords) associated with University wide students, Emeritus and staff that were collected in the breach of another company’s systems and posted in the public domain. USNH Cybersecurity research the information provided to determine if action is necessary.  In some cases no action is required because the account holder has changed their password between notifications.  Subsequently, if you reuse your Institution email addresses, usernames and passwords publicly such as for a LinkedIn account and LinkedIn suffers a breach involving stolen credentials, you will be required to change your password.  Therefore, practicing good credential hygiene can help reduce this risk to the University System and is highly recommended by USNH Cybersecurity.  This will:

1. Limit exposure for the University; and

2. Decrease the likelihood of a password change due to an external breach

When these alerts are received, the standard operating procedure is to secure the user’s account in order to prevent unauthorized access to university resources. 

The following FAQ is intended to address the most common questions received from users whose accounts have been secured because their university credentials were posted publicly.

 

Questions

 

Q1How does Cybersecurity know the alert is legitimate?

Q2Were my credentials stolen because of a breach of university systems?

Q3How did someone get my university credentials?

Q4 - How do I know what password was exposed?

Q5Why do I have to change my university password if I have never used my university email or password for any other account?

Q6Can you tell me which password was posted publicly so I know whether or not I need to change it?

Q7 - How do I regain access to my account?

Q8 - How do I protect my account and avoid changing my password more often than required? 

 

Answers

 

A1 - How does Cybersecurity know the alert is legitimate?

  • The alerts Cybersecurity uses for these purposes are from trusted sources that may include large corporations, government agencies, and industry groups. 
  • Back to Questions

 

A2 - Were my credentials stolen because of a breach of university systems?

  • Most alerts regarding publicly posted credentials impact a small number of users which does not point to a breach of any university system.  Each notification is reviewed to determine if it indicates the likelihood that a more significant university-centered event has occurred and appropriate action would be taken if there was reason to suspect any kind of breach.
  • Back to Questions

 

A3 - How did someone get my university credentials?

  • Unfortunately, there is rarely enough information provided in the alerts we receive (or on the sites where stolen credentials are posted) to answer this question.  There are a variety of ways that user credentials can be stolen including phishing attacks, data breaches at other companies (like Yahoo and LinkedIn), and credential harvesting malware.  
  • Back to Questions

 

 

A4 - How do I know what password was exposed?

  • Unfortunately, there is not enough information provided in the alert to determine when the credentials were harvested and the exposed password is not provided in the alert for security reasons.  This means there is no way to know for certain which password associated with your university username or email was posted publicly.
  • For this reason, we require that the password associated with any potentially compromised university account be changed.
  • Back to Questions

 

A5 - Why do I have to change my university password if I have never used my university email or password for any other account?

  • Unfortunately, because we are unable to determine how your credentials were harvested we cannot guarantee that those posted are not representative of your current university password.  Additionally, the alerts provide a university username or email -- they do not provide the password that was publicly posted in conjunction with that university identifier.  This means there is no way to know for certain that the password posted with your university username or email address is NOT your current password. 
  • For these reasons, we require that the password associated with any potentially compromised university account be changed.
  • Back to Questions

 

A6 - Can you tell me which password was posted publicly so I know whether or not I need to change it?

  • The alerts we receive do not provide the publicly posted password associated with your university username or email, as that would further compromise the security of any accounts utilizing that password. 
  • For this reason, we cannot provide you with the publicly posted password and we highly recommend that you change the password of any account where you have used the same password as a password used with your university account, once you have changed the password for your university account. 
  • Back to Questions

 

A7 - How do I regain access to my account?

  • When your university user account is secured, you must call or visit the Help Desk in person to recover access to your account. 
  • Visit the Technology Help Desk Support page for local campus Help Desk contact information.
  • Campus Help Desk phone numbers:
    • KSC:  603-358-2532
    • PSU:  603-535-2929
    • UNH:  603-862-4242
  • Back to Questions

 

A8 - How do I protect my account and avoid changing my password more often than required? 

 

 

Further Readings

The Phishbowl 

Good Security Practices to Adopt at Work/School, and at Home

 

Need additional help?

General Cybersecurity Services - for questions about publicly posted credentials (PPC)

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.