What’s the Deal with Publicly Posted Credentials?

UNH Information Security Services (ISS) regularly receives alerts from a variety of sources notifying the University that UNH credentials, which can include any combination of UNH email, UNH username, and/or password, have been posted publicly online.  When these alerts are received, the standard operating procedure is to secure the user’s account in order to prevent unauthorized access to UNH resources.

The following FAQ is intended to address the most common questions received from users whose accounts have been secured because their UNH credentials were posted publicly.


How does UNH Information Security Services (ISS) know the alert is legitimate?

The alerts ISS uses for these purposes are from trusted sources that may include large corporations, government agencies, and industry groups. 


Were my credentials stolen because of a breach of UNH systems?

Most alerts regarding publicly posted credentials impact a small number of users which does not point to a breach of any UNH system.  Each notification is reviewed to determine if it indicates the likelihood that a more significant University-centered event has occurred and appropriate action would be taken if there was reason to suspect any kind of breach.


How did someone get my UNH credentials?

Unfortunately, there is rarely enough information provided in the alerts we receive (or on the sites where stolen credentials are posted) to answer this question.  There are a variety of ways that user credentials can be stolen including phishing attacks, data breaches at other companies (like Yahoo and LinkedIn), and credential harvesting malware.   


How do I know what password was exposed?

Unfortunately, there is not enough information provided in the alert to determine when the credentials were harvested and the exposed password is not provided in the alert for security reasons.  This means there is no way to know for certain which password associated with your UNH username or email was posted publicly.

For this reason, we require that the password associated with any potentially compromised UNH account be changed.


Why do I have to change my UNH password if I have never used my UNH email or password for any other account?

Unfortunately, because we are unable to determine how your credentials were harvested we cannot guarantee that those posted are not representative of your current UNH password.  Additionally, the alerts provide a UNH username or email – they do not provide the password that was publicly posted in conjunction with that University identifier.  This means there is no way to know for certain that the password posted with your UNH username or email address is NOT your current password. 

For these reasons, we require that the password associated with any potentially compromised UNH account be changed.


Can you tell me which password was posted publicly so I know whether or not I need to change it?

The alerts we receive do not provide the publicly posted password associated with your UNH username or email, as that would further compromise the security of any accounts utilizing that password. 

For this reason, we cannot provide you with the publicly posted password and we highly recommend that you change the password of any account where you have used the same password as a password used with your UNH account, once you have changed the password for your UNH account. 


How do I regain access to my account?

When a UNH user account is secured, it cannot be accessed until the user contacts the UNH IT Service Desk or visits the Academic Technology Service Center in Dimond Library, confirms their identity, and changes their password. 


Best Practices for Protecting Your UNH Credentials
How to Avoid Having to Change Your UNH Password More Often than is Required by Policy

  • Don’t use your UNH email as the username for any account not associated with UNH.
  • Provide a personal email as the email address associated with any non-UNH account.
  • Do not use the same password for more than one account.
  • Do not use the same password for work accounts and personal accounts, but really - do not use the same password for more than one account.
  • Keep a segregation between your business and personal online presence.
  • Learn how to spot phishing emails and get in the habit of checking The Phishbowl before responding to any emails that seem suspicious.
  • Make sure all devices you use to conduct University business have up-to-date anti-malware software installed and that each device is being scanned on a regular basis.
  • Make sure all devices you use to conduct University business are receiving operating system updates and that those updates are being applied on a regular basis.

Questions about publicly posted credentials can be submitted to ISS here

Custom Fields
  • Author: Information Security Services
  • Department: Information Security Services
Attached Files
There are no attachments for this article.
Related Articles RSS Feed
FAQs- System Center 2012 Endpoint Protection, Microsoft Security Essentials, and Windows Defender
Viewed 3742 times since Wed, Aug 12, 2015
Should you send or receive UNH personally identifiable information by email?
Viewed 1005 times since Thu, Jun 9, 2016
AppMan/UCR/FTS Account FAQ
Viewed 1639 times since Tue, May 12, 2015
Viewed 1767 times since Wed, May 13, 2015
Account Deactivation Information
Viewed 1945 times since Mon, May 11, 2015
Using Facebook, Google or other Social Login Services
Viewed 873 times since Fri, Aug 26, 2016
Good Security Practices to Adopt at Work/School, and at Home
Viewed 558 times since Fri, Jul 14, 2017
Banner Advancement Account FAQ
Viewed 1467 times since Tue, May 12, 2015
Accounts: How do I request that someone’s IT accounts be disabled?
Viewed 584 times since Mon, Mar 7, 2016
Accounts: I just got a message reminding me to change my AD password. What do I need to do?
Viewed 795 times since Wed, Feb 24, 2016