The public release of credentials (email addresses and associated passwords) related to the 2018 Chegg breach unfortunately affected the U-M community.
Thank you to those of you who assisted students and others whose UMICH passwords were reset in late September as a result of reuse at U-M of passwords exposed in a data breach at Chegg, a commercial textbook and study site. Thank you to all who were affected by this for your understanding and patience as ITS worked to bring in additional staff to reduce the wait time for people contacting the ITS Service Center.
Password resets are complete. All UMICH (Level-1) passwords that matched passwords exposed in the Chegg data breach reset as of October 3. The resets were necessary to help protect the individuals involved and the university.
A summary of actions taken to investigate and resolve this incident, and keep you informed, has been published as an update to the advisory on Safe Computing.
Security is a shared responsibility. We all have a part to play in securing the university’s systems and data, as well as our own.
- Use unique passwords for each account and site. Password reuse and sharing expose the university and the user to unnecessary risk.
- Use two-factor. Use of two-factor (Duo) for Weblogin stops an attacker who has your UMICH password from logging in to Wolverine Access, your U-M Google Mail, and other U-M services that you log in to via Weblogin. This is why we are expanding the use of Duo at U-M by requiring students to use it as of January 2020.