Carnegie Mellon University

Red Keyboard

October 03, 2019

Password Reuse Leads to Andrew Account Compromise

CMU users who have used the textbook rental company Chegg or the fashion and sneaker trading platform StockX may have been affected by a recent security breach. In September 2018, it was reported that Chegg, had suffered a massive data breach impacting 40 million of its customers. In August 2019, StockX reported that 6.8 million users were affected by a data breach. Both breaches resulted in the user name, email address, shipping address, and password being exposed.

During the final week of September, the Information Security Office (ISO) matched a number of recently compromised Andrew account passwords to the Chegg and/or StockX password breach. Additional accounts were also found to be reusing Andrew passwords on these sites, though the additional accounts had not yet exhibited unauthorized use. In all, several hundred accounts were reusing the Andrew password.  All accounts were suspended pending further analysis before password resets were performed.

While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an attacker to gain unauthorized access to multiple accounts when any one site is compromised. This is particularly concerning when dealing with more sensitive accounts such as your Andrew account or your online banking account. All of your passwords should be unique and never reused. Attackers continue attempts to login with old breached passwords, knowing that they may get reused at some point. 

To help with password management, consider using a password manager to create and store strong passwords for each of your accounts. See the Password Manager Guidance webpage or vist the Guidelines for Password Management for more password resources.