A compromised account is an account for which someone other than the owner/delegate of the account has access to the username and password. Often, the credentials are used for the purpose of sending spam from a legitimate looking sorce (you!). You should never share your password, even with another campus member (see SF State Password Policy).
SF State works diligently to prevent credential theft and we recommend all users review procedures and actively work to protect themselves and the university. But when a compromise occurs, steps need to be taken to protect not only the universitie's data but your data as well.
- Procedure for Current Faculty, Staff, and Community Member Primary Accounts
- Procedure for Secondary, Departmental, Student, and Emeritus Accounts
- Public Credential Posting
- Spoofed Accounts
Procedure for Current Faculty, Staff, and Community Member Primary Accounts
- ITS will lock your account and administrativly change the password, Microsoft will stop the account from sending e-mail
- If outbound spam contanes a link, ITS will request the link be blocked at the SF State firewall and via online safe-browsing tools
- A reqest for computer virus/malware scanning will be made on your behalf to your local IT staff (for users without local IT staff, the request will be sent to the ITS Help Desk)
- IT staff will work with you to scan and, if necessary, clean your computer(s) and devices (Note: this may require clean-up actions be performed on personally owned devices)
- IT staff will help you perform a root cause analysis to determine how the account was compromised
- IT staff will verify that clean-up has been performed on all devices used to access the account
- ITS will unlock the account - you may now change your password and re-access SF State services
- ITS will request that Microsoft remove the block from your account, allowing e-mail to be sent to non-SF State addresses
- IT staff will help you complete and submit an Incident Report
Procedure for Secondary, Departmental, Student, and Emeritus Accounts
Please note: If it is determined that your account has access to secure resources or confidential data the compromised account procedure for a primary account may be used.
- ITS will lock your account and administrativly change the password
- If outbound spam contanes a link, ITS will request the link be blocked at the SF State firewall and via online safe-browsing tools
- A reqest for computer virus/malware scanning will be made on your behalf to your local IT staff (for users without local IT staff, the request will be sent to the ITS Help Desk)
- IT staff will work with you to scan and, if necessary, clean your computer(s) and devices (Note: this may require clean-up actions be performed on personally owned devices)
- IT staff will verify that clean-up has been performed on all devices used to access the account
- ITS will unlock the account - you may now change your password and re-access SF State services
Public Credential Posting
Most compromised accounts are reported via tools such as Microsoft's Anti-Spam utility. For reports originating from the public posting of credentials or from a source that cannot be verified, the following procedure will be used:
- ITS will notify you that you need to immediatly change your password. If you cannot be reached and/or the password is not updated within 4 hours, the password will be administrativly changed to protect your personal information
- You can change your password and re-access SF State services
Spoofed Accounts
Spoofing is annoying but is not actually the result of compromised credentials. When a scammer creates a spam message, they can set a 'reply-to' address other than their own. They use an e-mail address that will help make the message appear legitimate. Unfortunately, this often causes the address they have used to receive a large number of undeliverable notifications. Because there are no compromised credentials and the messages do not originate from SF State's servers, there is no way to stop these messages. If your account has been used in a spoof and you have more than 2000 undeliverable notifications, please open a service request for information on using mail rules to delete the messages.