Ohio University

Reusing an OHIO password can have far reaching consequences

On Sep. 24, 2019, OHIO email users found themselves unable to send messages to anyone outside of the university for several hours. The way this outage happened demonstrates just how connected the online world can be and just how important it is to maintain a unique password for your OHIO login.

It all started nearly a year and a half ago when hackers stole Chegg.com’s password database. The company notified its customers, and the incident seemed destined to be forgotten. Then in August 2019, the stolen database popped up on the internet for anyone to download. This was not a big deal for Chegg, because they had made their customers change their passwords right after the theft happened. The real impact would be for the universities and colleges whose students had accounts with Chegg.

As is often the case with e-commerce sites, Chegg asks its customers for an email address when they sign up. This by itself is not a problem. An email address is only useful to a hacker if it comes with a matching password. Unfortunately, more than a few OHIO students chose to use not only their OHIO email address but also their OHIO password for their Chegg account. This made it easy for hackers to send spam from those students’ OHIO accounts, using nothing more than data from the stolen Chegg file. The resulting surge in outgoing spam triggered Microsoft’s anti-spam protections. Those protections did their job to keep OHIO and Microsoft off of internet-wide spam blacklists; however, as a side effect, everyone at the university was unable to send mail to outside recipients for several hours.

Protect Yourself

OIT’s Information Security office is well equipped to discover and disable compromised email accounts, but ultimately it is everyone's responsibility to secure their own account. Here’s how:

If you have any questions, please contact the IT Service Desk.