Compromised Credentials Resources

This document serves to describe common ways credentials can be compromised. In addition, it provides resources that campus offers to help prevent loss of credentials or in case of account compromise.

Common ways accounts are compromised

Phishing

For more details on how to identify and report phishing see: Scams To Avoid: Protecting Your Online Identity

Password Reuse

Occasionally third -party services can be compromised, and usernames and passwords are often left exposed as a result. If you use the same or similar password for multiple services, that can put you at risk for an attacker having access to more than one of your accounts.

For example, in 2018, Chegg, a textbook rental company, suffered a data breach that resulted in over 40 million stolen usernames and passwords. In Fall of 2019, many higher education institutions were forced to reset passwords after discovering attackers gaining access to accounts where the Chegg username and password matched institution credentials. For more information, see: Chegg to reset passwords for 40 million users after April 2018 hack.

Password managers can make using strong, unique passwords easier.

UW-Madison offers LastPass as an enterprise password management service. For details, see: LastPass articles in the KB.

LastPass can also help monitor for password breaches and can help to identify phishing pages using URL matching. For details, see: LastPass - What Cyberattacks Does LastPass Help Protect Me From? and Dark Web Monitoring.

Malware

Some malware may be able to steal your password information. To help protect your device the campus offers the below options.

For anti-malware solutions for campus or personally owned devices see: Recommended Antivirus Solutions & Cybersecurity Roadmap

Protect yourself! Enable Duo Multi-Factor Authentication

Duo Multi-Factor Authentication helps prevent your account from being accessed and data stolen if an attacker successfully has your password. If you believe you received a fraudulent Duo push, please mark it as fraud and consider changing your password. For more information, see: MFA-Duo Overview.

Need help?

Please contact the DoIT Help Desk with any additional questions: Get Help from DoIT.