On Sept. 19 Kent State announced over 3,000 student emails had been hacked the week before.
According to Robert Eckman of Kent State’s IT department, the breach was a result of credential harvesting.
Eckman said in an email, “Credential Harvesting is the process of using some form of technical or brute force in means of gaining both the username and password of a legitimate account holder. Often times hackers use previously hacked credentials against legitimate authentication systems (like the Kent State login) to see if they are still "usable." In other words, if a student had used the same username and password on another site that had been hacked and has not changed their KSU password, then that hacked credential would work here at KSU as well.”
According to Eckman there were two Credential Harvesting incidents that led to this breach, one on 9/22-23 and one on 9/12-13.
“These were very likely bots that were assigned the task of grabbing credentials and attempting to log in using a password spray approach (a technique used by hackers to make it harder for us to see their attempts),” Eckman said. “Once made aware of this attack, the Information Security Team initiated the Cyber Security Incident Response Team. In both cases, we achieved mitigation within hours of being notified. A true testament to the talented and dedicated IT and Security Teams we have at KSU.”
This is the second time in five years the school has dealt with student emails being hacked or breached. In September 2014, student emails were compromised when Russian hackers gained access to passwords of over five million Gmail accounts through a phishing attempt.
Students who had their accounts compromised were encouraged to change their FlashLine passwords. The school doesn't have a long term solution for Credential Harvesting, however students have the option of opting into Multi-Factor Authentication which is an extra credential protection by Microsoft.
“Even if someone gets your credentials, if Microsoft sees a ‘risky’ login attempt it will prompt for the second factor (SMS Text Code or Microsoft Authenticator Application). If the challenge prompt is not met, then access will be denied to your sensitive data,” Eckman said.
Contact Aidan Coyne at email@example.com.