EDUCAUSE Security Breach and Password Change Information

As of 2/19/13

In February 2013, EDUCAUSE discovered a security breach involving an EDUCAUSE server. Below are answers to questions about this breach.
 

Who was affected and what data was involved?

  1. Individuals with an EDUCAUSE website profile

    1. Any information contained in individual EDUCAUSE website profiles (e.g., name, title, e-mail address, username, and hashed password) may have been compromised. As a result, individuals with an EDUCAUSE website profile must change their password.
    2. It is not necessary for InCommon account holders to update their institutional credentials because EDUCAUSE does not have access to, or store on any server, InCommon account information.

       

  2. .edu domain accounts

    1. The breach may have compromised the hashed passwords of .edu domain holders. As a result, the designated administrative, technical, or billing contact must change the domain password. Administrative and technical contacts have already been notified by EDUCAUSE.

As a precaution, all passwords have already been deactivated; therefore, individuals do not need to create new passwords immediately.

Members and individuals who do not have an EDUCAUSE website profile or are not a .edu domain holder are not required to take action.
 

Who was notified?

Individuals with active EDUCAUSE website profiles and administrative and technical contacts for .edu domain accounts were notified via e-mail on Tuesday, February 19. The e-mail notice was sent through our mass e-mail marketing software (Informz). Links within the e-mail are redirected through this marketing product.

Because e-mail delivery isn’t always guaranteed, EDUCAUSE also posted messages in social media, on its website, in several constituent and discussion groups, and on the .edu website.

Members and individuals who do not have an EDUCAUSE website profile or are not a .edu domain holder were not notified because they do not need to take any action. This includes individuals who subscribe exclusively to our constituent and discussion groups. Prior to June 8, 2012, subscribers to EDUCAUSE groups were not required to have a profile; therefore, many individuals who only use this service are not affected.
 

Was any sensitive personal or financial information accessed?

Based on our investigation to date, we do not believe that any sensitive personal or financial information has been accessed.
 

What steps has EDUCAUSE taken to prevent similar security breaches in the future?

EDUCAUSE took immediate steps to contain this breach and is working with Federal law enforcement, investigators, and security experts to make sure this incident is properly addressed.

Along with outside security experts, EDUCAUSE has implemented additional security measures to help prevent this type of breach in the future.

As a precaution, all passwords have been deactivated. Individuals with EDUCAUSE website profiles and .edu domain holders are being asked to create a new password.
 

How do I create a new password?

  1. Individuals with an EDUCAUSE website profile:

    We request that you create a new profile password.

    Please do not use your old password. You should create a new password that is 8 or more characters and is made up of a combination of

    • at least one uppercase letter,
    • at least one lowercase letter,
    • at least one digit, and
    • at least one special character.

    If you have changed your profile password after 1:15 pm EST, February 19, 2013, you do not need to change your password again.
     

  2. .edu domain account holders:

    We request that you create a new domain password.

    Please do not use your old password. You should create a new password that is 8 or more characters and is made up of a combination of

    • at least one uppercase letter,
    • at least one lowercase letter,
    • at least one digit, and
    • at least one special character.

    If you have changed your .edu password after 2:00 p.m. EST, February 15, 2013, you do not need to change your password again.
     

Who should be contacted with questions regarding this matter?

For help with EDUCAUSE website profile password changes, please contact EDUCAUSE Member Services at [email protected] or +1-303-449-4430.

For help with .edu domain password changes, please contact EDUCAUSE Member Services at [email protected] or +1-303-449-4805.

For media inquiries, please contact Pete Boyle, Senior Vice President for Lipman Hearne, at [email protected] or +1-202-536-8088.