Stanford University Is Investigating An Apparent Security Breach, Urges Community To Reset Passwords

Stanford University urged network users to change their passwords late Wednesday evening, explaining that it “is investigating an apparent breach of its information technology infrastructure.”

Randall Livingston, Stanford’s chief financial officer, emailed the entire Stanford community, noting that Stanford does “not yet know the scope of the intrusion.”

Livingston’s full email, which was sent via an IT Services announce email but signed by the school’s CFO, reads:

“Members of the Stanford Community:

Stanford is investigating an apparent breach of its information technology infrastructure similar to incidents reported in recent months by a range of companies and large organizations in the United States. We do not yet know the scope of the intrusion, but we are working closely with information security consultants and law enforcement to determine its source and impact. We are not aware at this time of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.

As a precautionary measure, we are asking all users of Stanford’s computer system – that is, all those with a SUNet, or Stanford University Network, ID – to change their passwords. This may be done on the “Accounts” page of the Stanford website.  (You can find the “Accounts” page by going directly to the main website.) Additional information is posted on that page verifying the nature of the issue and the University’s request that passwords be updated. As we learn more about the incident, this process may need to be repeated.

Stanford treats information security with the utmost seriousness and is continually upgrading its defenses against cyberattacks. Like many institutions, it repels millions of attempted attacks on its information systems each day. In recent months, a range of large organizations have reported attacks involving their information systems. Preliminary indications are that the breach at Stanford bears many similarities to these incidents. We are unable to provide additional detail at this time, given the ongoing nature of the investigation and the importance of limiting any damage from the incursion. We will provide updates to users of our systems as more information becomes available.”

A bit of searching will show many tweets and articles about alleged “hacking” of Stanford’s system, none of which led to University-wide emails. But Livingston’s description sounds reasonably similar to an alleged security breach this past May by “Ag3nt47.”

Smaller sites reported in May that this hacker breached the Harvard, Stanford, and MIT websites and published staff information online. Another site reported that Ag3nt47 also hacked the sites of Rutgers, NASA, Mazda, Suzuki, Isuzu, the Bose Speakers’ Chinese branch and Mopar, one of the world’s largest automotive parts suppliers.

This would fit with Stanford’s description of the hack being “similar to incidents reported in recent months by a range of companies and large organizations in the United States.”

Looking at the published contents of this hack, it looks like Ag3nt47 merely scraped information from the Stanford Institute for Computational and Mathematical Engineering website. His hack shows email addresses and names of staffers in the ICME, but those are publicly listed on the site. It seems unlikely that such a small hack would cause this response from Stanford, unless Ag3nt47 accessed more information than they publicly posted. However, Ag3nt47 claims they have “the entire database.”

Still, it’s possible that Ag3nt47 is taking credit for another hackers’ work, or thinking Stanford is investigating their hack, when Stanford is looking at a different breach. A recent New York Times article notes that U.S. campuses are fighting millions of cyber attacks every week, most of which are thought to be from China.

In the meantime, Stanford is urging all Stanford network ID holders to change their passwords.

Screen Shot 2013-07-25 at 2.12.46 AM

Update: Stanford declined to comment beyond the above email. The hacker @Ag3nt47 has deleted tweets that he sent me in which he claimed that he easily hacked Stanford’s website and that he has “the entire database.”

Disclosure: I am a rising senior and the co-student body president at Stanford.

Image via Stanford Alumni.