Environment: StFX account(s) exhibiting unusual, suspicious activity or confirmed as compromised.
Purpose: This guide outlines how IT Services addresses suspicious or compromised user account credentials, steps IT Services will take to secure your account and safeguard your data, why the process is important, and what to expect if it happens to your account.
When account credentials are compromised, it can have severe consequences, leading to identity theft, exposure of sensitive data, financial loss, and reputational damage.
This FAQ explains what compromised credentials are, what IT Services will do to protect your account, the steps you need to take to restore access, and what you can do to help keep your account and University systems secure.
What are compromised account credentials?
Compromised account credentials refer to information such as usernames, passwords, or access keys have been stolen by unauthorized individuals.
What risk do compromised account credentials pose?
Compromised credentials can give attackers access to the information stored in your account, as well as to University systems and data that your account is authorized to use. Compromised credentials can have severe consequences, including unauthorized access to personal or sensitive data, financial loss, and reputational damage for the University.
How can account credentials become compromised?
Account credentials may become compromised through methods like phishing attacks, malicious web links or websites, computer malware, or other data breaches.
Cyber threats are evolving, becoming more sophisticated and increasing in frequency, leading to an increased in incidents involving University account credentials.
What will IT Services do to secure my account and protect my data if my account has been compromised?
Compromised credentials can have severe consequences; our priority is to secure your account and to protect University systems and data from further risk.
If unusual or suspicious activity with your StFX account has been identified, or if your account has been confirmed to be compromised, IT Services will implement measures to secure your account until an investigation is completed. These measures are essential to reduce risk and to safeguard other University accounts, critical systems, and sensitive data.
These measures will disrupt access to your account but are essential in order to reduce risk. It's important for an investigation to be completed to ensure that the threat to the University is eliminated, and access to your account is restored in a safe and effective manner.
What does it mean for me and what do I need to do next?
Account suspension
In the event that your account is suspected of or confirmed to be compromised, IT Services will, at minimum, take the following actions on your account:
- Reset your account password.
- Revoke any active sessions.
- Reset your MFA registration and account recovery information.
- Temporarily disable access to your email mailbox.
- Note: new inbound email messages to your account will still be received during this time.
- Disable email forwarding rules or settings (if applicable).
- Disable suspicious mail processing rules (if applicable).
- Remove email mailbox delegates (if applicable).
- Purge any email messages identified as malicious from all user mailboxes.
- Block any URLs (web links) identified as malicious from the network.
- Notify affected individuals via external email address when possible
Incident investigation
Following the suspension of your account, an investigation will be conducted to determine the scope of the incident and if further actions are required.
Depending on the scope and complexity of the incident, it may be several hours or more before access to your account is restored. IT Services will attempt to work to restore access as quickly as possible and provide affected users with updates as information is available.
Account recovery
Once it is determined that the threat has been eliminated, IT Services will take steps to restore your access to your account. As part of the recovery process, you will need to take the following actions when appropriate:
- Perform an identity verification with the IT Services Helpdesk; this requires some form of photo ID to be presented in person or via a video call.
- Review and update your account recovery information, including MFA registration.
- Check for suspicious email processing or forwarding rules.
- Change your account password using the myPassword tool (mypassword.stfx.ca).
- It is important that you set an entirely new password; do not set the same or a similar password that was in use during the time of the compromise.
- Reinstate any legitimate email mailbox processing rules, email forwarding, and/or email mailbox delegates.
What else can I do to be a good cyber neighbor?
Every member of the university community can contribute reducing incidents of account compromise.
- Be vigilant when reading and responding to email messages that come from unknown senders or look unusual / suspicious. Common themes of phishing emails are JOB OPPORTUNITY or ACCOUNT VERIFICATION. These types of emails are not authentic.
- Report suspicious messages or activity to IT Services as soon as possible.
- Don't click on links in messages that are suspicious.
- Do not forward suspicious messages to other users (internal or external).
- Do not approve or provide codes for Multifactor Authentication (MFA) requests that you have not initiated.
- Be aware of fake or suspicious websites when searching or browsing.
- Complete courses in the University's cybersecurity awareness and training platform, Terranova.