Many WatIAM email accounts have been used to send spam recently due to security breaches of social media accounts like LinkedIn and GitHub, reported Information Systems & Technology (IST).
“Starting Saturday, 22 Feb., we have observed a much higher incidence than usual of Waterloo accounts being used to send spam,” wrote Mike Patterson, manager of information security operations in Information Security Services in a recent post for the Daily Bulletin. “Based on feedback from affected individuals, IST Information Security Services believes that this is a result of passwords compromised in a breach of LinkedIn in 2012 and GitHub in 2013.”
IST constantly monitors the WatIAM system, with roughly a dozen accounts — usually belonging to students — being hacked by phishing or social engineering. Roughly 70 accounts were compromised over two to three days, including staff and student accounts starting Feb. 22.
“It’s impossible to say any given cause,” said Nick Manning, director of media relations and issues management. “This reunderlines the need to use different passwords on different sites to protect your social media identity. The campus community can be assured that the IST has very robust systems.”
Steps have already been taken to lock out these compromised accounts and all those affected have been notified.
Students and staff who have used their UW email address on a LinkedIn or GitHub account are encouraged to change their passwords immediately and avoid reusing passwords for multiple accounts.
Anyone who receives spam or suspicious looking messages from an official UW email account should ignore it.