During a security sweep, the University of Richmond’s information security staff discovered a website containing a list of stolen account credentials – a list with approximately 1.4 billion pieces of private account information such as email addresses and passwords.
“From what we’re able to tell, it’s very, very deep within the web,” Cynthia Price, the university’s director of media and public relations, said of the recent discovery. “It’s a concealed website.”
To put the list’s enormity into perspective, the largest internet-era data breach occurred in 2013 when 3 billion Yahoo users were affected by a hack, according to CSO Online, a technology news website. The next biggest was in 2014 when eBay asked 145 million users to reset their passwords after hackers accessed accounts through stolen information.
According to the Richmond Journal of Law and Technology, a breach is defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.”
The list on the website discovered by the University of Richmond may be related to previous data breaches.
In an email to students and staff on Friday, the university wrote that the list was “compiled from several data breaches that have occurred over the past several years, such as LinkedIn®, Adobe®, Yahoo®, and other domains,” and that “included in the list were credentials associated with approximately 3,000 richmond.edu email accounts.”
After university emails had been discovered on the list, UR sent its message to inform students and staff about the incident so they could check their accounts. Also attached was a video on creating strong passwords.
UR’s information security staff confirmed that the website acquired the information from emails tied to external sites and made it clear that the school’s information system had not been compromised.
“There is no breaching of our system whatsoever,” Price said, “but because (the website’s list) still contained emails linked to us, we wanted to make sure we alerted people to check their accounts.”
This doesn’t mean people shouldn’t be concerned. The individuals who collected this information likely did so with ill intent. As Price explained, “unscrupulous people will collect that data and hold it in hopes that they can somehow use it elsewhere.”
With more than 1.4 billion credentials to sift through, the extent of the list’s information isn’t yet fully known. Attempts were made to contact the Virginia Attorney General’s office for comment on whether an investigation was underway, but the office has not responded.
Scott Malone, Contributing Writer