Compromised Accounts

Overview

A compromised account is a significant cybersecurity threat in which email accounts are hacked and then used to carry out unauthorized activities, such as financial fraud or data theft.

This article outlines key steps for users to recover access and secure their accounts if they’ve been compromised, along with the University of Montana's incident response following the Identify, Protect, Detect, Respond, and Recover framework.

If you just want to know when your account will be working again, skip to “Steps for Users to Regain Access.”

Information

Why Compromised Accounts Require Quick Response

When accounts are compromised, sensitive university data, personal data, and computer resources are put at risk. Even accounts with limited or no access to university data and nothing the user considers private in email or personal files are valuable to hackers. Your UM account provides access to your student or Human Resources record, your email, and perhaps your grades, direct deposit details, and other personal information.

How Accounts are Compromised

  • Phishing. Emails that ask you to verify, validate, or upgrade your account by logging in to a webpage or providing your password are most likely phishing scams.
  • Password Stolen on Another Site. Reusing your UM password on other sites, especially those where your UM email address is your username, puts UM resources at risk. If your account on those sites is compromised, your UM account can be easily accessed.
  • Password Sharing. If you shared your password with a friend, significant other, or family member, they might not have been as careful with it as you are.
  • Unsecured network. If you log in to a UM website while on an unprotected WiFi network, your account information could be stolen.
  • Weak password. A short, simple password can be vulnerable to guessing or brute-force techniques.

What Happens When an Account is Compromised

When an account is reported or appears to have been compromised, UM will quarantine the account while the Information Security Office investigates. Access to the account will be restored only after it is confirmed that the user’s credentials have been securely reset and no unauthorized access remains. Additionally, users with compromised accounts will be required to use multi-factor authentication (MFA) before regaining access, if it is not already enabled. Depending on when a compromised account is detected and whether multiple accounts are compromised, restoring access to those accounts may not happen until the next business day.

How UM Responds to Compromised Accounts

This section goes into more details on how the Information Security Office applies the incident response framework to compromised accounts.

1. Identify

Objective: Detect the occurrence and scope of a Business Email Compromise.

  • How the Information Security Office (ISO) Identifies Compromised Accounts:
    • User reports: Users report suspicious activities, such as unauthorized transactions, phishing emails, or unexpected email forwarding.
    • Automated monitoring: Security systems detect anomalies, including login attempts from unusual locations, suspicious email forwarding, or unauthorized access patterns.
    • Third-party notifications: External partners or vendors notify the ISO of potential breaches involving university accounts.

2. Protect

Objective: Mitigate immediate risks and secure affected accounts.

  • Steps Taken by the ISO to Protect the University:
    1. Account lockout: Temporarily disable compromised accounts to prevent further unauthorized access.
    2. Notify affected users: When possible, inform account owners via alternative contact methods (e.g., personal email or phone) and provide immediate instructions for securing accounts.
    3. Reset credentials: Enforce password changes using secure reset mechanisms.
    4. Strengthen authentication: Enable or require multi-factor authentication (MFA) for all affected accounts.
    5. Contain the threat: Block known malicious IPs, email addresses, or domains involved in the attack.
    6. Safeguard critical systems: Restrict access to sensitive university systems if they are linked to compromised accounts.

3. Detect

Objective: Investigate the source and extent of the compromise.

  • Detection and Analysis:
    • Review email activity logs for:
      • Login attempts from unusual locations.
      • Outbound spam or phishing emails.
    • Identify attack vectors, such as:
      • Phishing campaigns.
      • Credential stuffing using previously leaked credentials.
      • Exploited weaknesses in MFA or account recovery processes.
    • Collaborate with MUS partners, cybersecurity organizations, and other peers to share intelligence and confirm threats.

4. Respond

Objective: Contain and remediate the incident.

  • Steps in the Response Process:
    1. Technical Remediation:
      • Remove malicious email forwarding rules.
      • Quarantine or delete phishing emails from user inboxes.
    2. Communication:
      • Notify the campus IT community of the incident.
      • Work with affected departments to validate transactions and mitigate financial and other regulatory risks.
    3. Documentation:
      • Record all actions taken during the incident response.
      • Preserve evidence for potential regulatory, legal, or investigative purposes.

5. Recover

Objective: Restore normal operations and strengthen future security measures.

  • Depending on the severity and scope of the incident, affected users may not regain access to their accounts on the same business day.
  • Steps for Users to Regain Access:
    1. Change passwords: Use the secure process provided by the ISO to reset passwords. Choose a strong, unique password.  This is coordinated with the ISO or the UM IT Helpdesk.
    2. Verify account settings: Ensure no unauthorized changes remain, such as unfamiliar devices or altered forwarding rules.
    3. Monitor activity: Regularly review account activity for any signs of unauthorized access.
  • ISO Actions:
    • Update security protocols, policies, and employee training programs.
    • Deploy additional safeguards, such as:
      • Advanced identity verification procedures.
      • Advanced phishing detection tools.
      • Expanded MFA implementation across university systems.
  • Best Practices to Prevent Future Compromises:
    1. Do not reuse passwords across multiple accounts.
    2. Do not share your passwords with anyone.
    3. Use university credentials only on verified university systems.
    4. Enable and use multi-factor authentication (MFA).
    5. Be vigilant about phishing attempts, verifying suspicious emails before clicking links or providing credentials.
    6. Report suspicious activity immediately to the ISO.

Conclusion

The combination of proactive detection, response, and recovery measures reduces the impact of compromised account events while improving the university's overall cybersecurity posture.

If you have questions or need assistance, please contact the UM Information Security Office: infosec@umontana.edu.

Was this helpful?
0 reviews
Print Article