Investigations on the full extent and severity of an “apparent breach” on Stanford’s information systems infrastructure over the summer continue this fall. All SUNet ID holders were compelled to change their account passwords after the discovery and were advised to remain vigilant across all devices and to adopt a number of enhanced precautionary measures while online.
The breach was launched from overseas according to an email addressed to the entire Stanford community from Vice President for Business Affairs and Chief Financial Officer Randy Livingston. The attackers were believed to have gained access to all Stanford SUNet ID account usernames and a “hashed,” or disguised, version of the passwords.
While SUNet ID accounts do not provide access to personal information such as social security numbers, the full extent of the information accessed by the attackers remains unknown, according to University chief spokesperson Lisa Lapin.
“We don’t believe they’ve accessed personal information, but it’s not entirely possible to see what they’ve accessed,” Lapin said.
The advice to change account passwords was solely a “precautionary measure,” Livingston wrote in a statement to The Daily. Livingston added that the attack resembled other recent online intrusions against American companies and universities.
In order to prevent similar incidences in the future, the University has adopted new security measures. One of the first is a two-step authentication. For “critical applications” such as Axess or Oracle, users will be required to input a second means of identification in addition to their usernames and passwords.
By Aug. 19, over 3,000 SUNet account holders began using this security feature, Livingston stated in a campus-wide email written to the Stanford community. This two-step authentication is currently voluntarily but is expected to become mandatory soon.
In a statement to The Daily, Livingston did not note any additional updates since the Aug. 19 letter.
The University is still moving forward with further investigatory work—systems diagnostics, intensive activity monitoring and working with law enforcement and other experts.
Livingston calls for cooperation from users, who will be expected to take more personal responsibility for security of user devices and confidential information as outlined in his campus-wide email.
“It is important to recognize that the hackers of today are very sophisticated,” Livingston wrote in a statement to The Daily. “We cannot assume that new procedures, passwords and security enhancements fully eliminate their continued presence.”
“It may take several iterations of security improvements over some period of time to regain confidence in the security of the network,” she added.