What’s the Deal with Publicly Posted Credentials?
UNH Information Security Services (ISS) regularly receives alerts from a variety of sources notifying the University that UNH credentials, which can include any combination of UNH email, UNH username, and/or password, have been posted publicly online. When these alerts are received, the standard operating procedure is to secure the user’s account in order to prevent unauthorized access to UNH resources.
The following FAQ is intended to address the most common questions received from users whose accounts have been secured because their UNH credentials were posted publicly.
How does UNH Information Security Services (ISS) know the alert is legitimate?
The alerts ISS uses for these purposes are from trusted sources that may include large corporations, government agencies, and industry groups.
Were my credentials stolen because of a breach of UNH systems?
Most alerts regarding publicly posted credentials impact a small number of users which does not point to a breach of any UNH system. Each notification is reviewed to determine if it indicates the likelihood that a more significant University-centered event has occurred and appropriate action would be taken if there was reason to suspect any kind of breach.
How did someone get my UNH credentials?
Unfortunately, there is rarely enough information provided in the alerts we receive (or on the sites where stolen credentials are posted) to answer this question. There are a variety of ways that user credentials can be stolen including phishing attacks, data breaches at other companies (like Yahoo and LinkedIn), and credential harvesting malware.
How do I know what password was exposed?
Unfortunately, there is not enough information provided in the alert to determine when the credentials were harvested and the exposed password is not provided in the alert for security reasons. This means there is no way to know for certain which password associated with your UNH username or email was posted publicly.
For this reason, we require that the password associated with any potentially compromised UNH account be changed.
Why do I have to change my UNH password if I have never used my UNH email or password for any other account?
Unfortunately, because we are unable to determine how your credentials were harvested we cannot guarantee that those posted are not representative of your current UNH password. Additionally, the alerts provide a UNH username or email – they do not provide the password that was publicly posted in conjunction with that University identifier. This means there is no way to know for certain that the password posted with your UNH username or email address is NOT your current password.
For these reasons, we require that the password associated with any potentially compromised UNH account be changed.
Can you tell me which password was posted publicly so I know whether or not I need to change it?
The alerts we receive do not provide the publicly posted password associated with your UNH username or email, as that would further compromise the security of any accounts utilizing that password.
For this reason, we cannot provide you with the publicly posted password and we highly recommend that you change the password of any account where you have used the same password as a password used with your UNH account, once you have changed the password for your UNH account.
How do I regain access to my account?
When a UNH user account is secured, it cannot be accessed until the user contacts the UNH IT Service Desk or visits the Academic Technology Service Center in Dimond Library, confirms their identity, and changes their password.
Best Practices for Protecting Your UNH Credentials
How to Avoid Having to Change Your UNH Password More Often than is Required by Policy
- Don’t use your UNH email as the username for any account not associated with UNH.
- Provide a personal email as the email address associated with any non-UNH account.
- Do not use the same password for more than one account.
- Do not use the same password for work accounts and personal accounts, but really - do not use the same password for more than one account.
- Keep a segregation between your business and personal online presence.
- Learn how to spot phishing emails and get in the habit of checking The Phishbowl before responding to any emails that seem suspicious.
- Make sure all devices you use to conduct University business have up-to-date anti-malware software installed and that each device is being scanned on a regular basis.
- Make sure all devices you use to conduct University business are receiving operating system updates and that those updates are being applied on a regular basis.
Questions about publicly posted credentials can be submitted to ISS here.