Stanford U Tells Users To Change Passwords after Hack Attack

• By Dian Schaffhauser
• 07/25/13

Stanford University is working with law enforcement and security consultants to investigate a data breach in its IT infrastructure that appears to have divulged user names and possibly other information. As a precaution, the California institution has asked all users of the university network to change their passwords.

The news was made public in an email sent by Randy Livingston, vice president for business affairs and chief financial officer, to the Stanford community. Livingston suggested that the attack was similar to the ones reported in recent months by a number of large organizations, although he didn't specify which security breaches he was referring to. "We are unable to provide additional detail at this time, given the ongoing nature of the investigation and the importance of limiting any damage from the incursion," he stated.

Besides the email, Stanford is reminding users to change their passwords through a boxed notice on every page of its public Web site.

A notification on every page of Stanford's Web site warns users to change their password.

In recent months, data breaches have taken place at the Federal Reserve, Facebook, Associated Press, Evernote, Twitter, and many other sizable holders of consumer and business data.

Coverage by Seth Fitzgerald on Newsfactor.com suggests that the comparison of the Stanford breach to other well publicized "politically-based" hacking incidents was ill-placed. "Stanford does not conduct classified research, making it an odd target," he wrote.

One set of twitter feeds on the topic of the Stanford hack pointed to an individual named "Ag3nt47" as being a possible culprit. In May 2013, according to security expert Greg Hoglund, this individual had posted a "data dump" onto Pastebin.com consisting of names, email addresses, physical addresses, and other information culled from the accounts of Stanford users affiliated with the Institute for Computational and Mathematical Engineering.

In his reporting, Fitzgerald also suggested that the hack could have originated in China, "in which young nationalists feel that attacking virtually any United States government organization or university is a sign of Chinese patriotism."

In 2012 Stanford experienced three known data breaches. The latest was in October, when 53 universities around the world were hit by a group called Team GhostShell, which made student, staff, and faculty personal data, including user names and passwords, public.

The university's latest recommendation to its users is to create a new password that adheres to these rules:

• It has to be different from the current password;
• It must be between eight and 40 characters in length, though IT would prefer it to be at least nine characters long;
• It shouldn't include any part of the student ID number;
• It shouldn't be a word found in the dictionary;
• It can only be composed of characters in the Roman alphabet or symbols on the U.S. keyboard;
• It should be as long and as random as possible, but not so hard to remember that it needs to be written down;
• Phrases made up of random words are acceptable as long as they're at least 15 characters long.