Compromised Accounts

My Account Has Been Compromised! What Do I Do?

An account can be compromised in a variety of ways and quick action to prevent further damage is required. If your information is known to criminals they will attempt to use it to break into your other accounts or devices, so any breach of your account or personal information is serious, and should be treated seriously.

  1. Change your ONU password: (refer to password tips below)
    Immediately update your ONU password by visiting https://myaccount.microsoft.com.
  2. Change all of your other passwords: (refer to password tips below)
    Update personal passwords (banking, shopping, social media) immediately by going to the source organization(s).  You should do this from a known secure device since your device may be compromised and may pass the new passwords on to the attacker.
  3. View customized security info/training
    ONU uses KnowBe4 to provide security info and training modules. Visit https://knowbe4.olivet.edu to see if any modules are available to you for more information
  4. Scan for malware/spyware: 
    Every device should be checked for malware, spyware and other malicious software. Alternatively, reset your device to a new state and rebuild it.  Contact your device manufacturer or a computer professional for assistance if needed.

If you need additional assistance, contact the Help Desk or stop by in lower level Benner.

 

Why Are These Steps Important? 

You might think your account isn't important, but there are many ways where your account can be used by criminals for financial (or other) gain. Even if you don't think you store anything private, there is significant value in the account itself, or they can use your account to get at information of value. When an account is compromised, not only is sensitive data put at risk, the attacker gains access to computing resources that allow them to expand their attack. Here are a few things that criminals look for:

  • Information about you that can be used to steal your identity, commit fraud, and target your email contacts for phishing and fraud.
  • Information about you or others that can be used for extortion at a later date, or to combine with data from other sources to impersonate and manipulate a person's actions.
  • Access to your student or HR record, email, grades, direct deposit, tax information, etc.
  • Access the ONU network, processing power, storage and services that they can use to commit crimes against you or others.
  • Access to academic research and resources, library services and journal subscriptions.

 

How Can My Account Get Compromised? 

  • Phishing - There are many variants of phishing messages that attempt to trick you into taking some sort of action. You should never confirm your identity in an email or provide confidential information to anyone over email. More
  • Stolen Passwords - Passwords are stolen via many methods or can be cracked by trial and error...or simply just by knowing information about you. More
  • Password Reuse - Using the same password on multiple accounts is a leading cause for account compromise. Attackers can harvest passwords via security leaks or past data breaches on external accounts then just try millions of combinations until they get in. 
    • Don't ever reuse your ONU password on another account. 
    • Be even more careful if an account uses your ONU email address as a username. If an attacker gets one, they can easily have access to the other.
      More
  • Password Sharing - Don't ever share your password with anyone. Ever. 
  • Weak Password - Simple passwords are easy to break. Most of the time, attackers don't even need to break a simple password they just try a list of the most common passwords to get right in.  More
  • Unsecured Networks - Free wi-fi is a great idea, but many networks are unsecured and any attacker on that network can intercept your traffic. More
  • Malware - Viruses or scripts on websites or in attachments can infect your device and capture information that exists on the machine or as you enter information into other websites. 
    • Opening any unknown attachment in an email, "lost" flash drives or on websites
    • Interacting with an infected phishing email.
    • Visiting an infected website without realizing it was doing something malicious in the background.
    • Interacting with a compromised social media post or account. 

Password Tips: Make them Strong and Secure

  • DO: Use passwords that are hard to guess but easy to remember. 
    • Avoid making your password a word you can find in the dictionary.
    • Use a "pass phrase" by stringing multiple words together in a way that you can remember without it being simple to guess.
    • Random passwords are the strongest. 
  • DO: Use combinations of characters.  Use upper and lower case letters, numbers, symbols and special characters. Some sites don't allow specific characters, but use them wherever you can. 
  • DO: Use longer passwords. Short, simple passwords are easy to hack, make it hard for the bad guys by making it longer than 8 characters. 
  • DO: Use a password manager. 
    A password manager can organize and assign complex passwords and help you keep a different one for every site.
    Example Utilitites: LastPass, 1Password, KeePass, Dashlane, Keeper
  • DO: Use Multi-Factor Authentication (MFA, 2FA). MFA allows for much more security to prevent access by attackers even if they get your password. 
  • DON'T: Use the same password in multiple places. Using the same password on multiple accounts is a leading cause for account compromise.  
  • DON'T: Share your password. 
    • Don't ever reveal or share your password with anyone...ever. Including co-workers, friends or family.
    • IT support will never demand you share your password. Don't give it out.
    • Don't enter your password on forms
  • DON'T: Store your password unsecurely.
    • Don't use the remember password features on browsers.
    • Don't store passwords in a file on your computer or in the cloud. 
    • Don't store passwords in any program that isn't a secure password manager.
  • DON'T: Keep using the same password.
    • If your password is new, reset or temporarily assigned, change it right away!
    • Adding a number to a previous password is a very bad practice.
What makes a bad password? 
  • Names: your own name, your parents, pets, friends, celebrities, etc.
  • Dates: 1984, 2015, anniversaries or famous years like 1776 or 1492.
  • Your phone number, address, birthday, etc.
  • Your social security, drivers license, or license plate numbers.
  • The phrases "let me in", "open up" or similar.
  • The word password, pass, p@$$word or similar
  • Simple patterns: "hahahahaha", "qwerty123", "asdfjkl;" or "12345678".
  • Any password used as an example in a manual or in help guides (like this article).
  • Any password that you use anywhere else.
  • Any password that you recycle or increment by a number.
  • Anything on this list (or slight variations) of the worst passwords: https://nordpass.com/most-common-passwords-list/