Compromised Account Guide

A compromised account is an account for which someone other than the owner/delegate of the account has access to the username and password. Often, the credentials are used for the purpose of sending spam from a legitimate looking sorce (you!). You should never share your password, even with another campus member (see SF State Password Policy).

SF State works diligently to prevent credential theft and we recommend all users review procedures and actively work to protect themselves and the university. But when a compromise occurs, steps need to be taken to protect not only the universitie's data but your data as well.

 

 

Procedure for Current Faculty, Staff, and Community Member Primary Accounts

SF State's IT staff is highly aware there are times of year when having an account locked can cause excessive hardship (e.g., registration, grading, finals, drop/add days). If circumstances force the locking of an account during these critical times, additional outreach will be attempted and we will do our utmost to resolve account issues quickly. To make sure you receive all communication, please verify that your external email address is valid and that your directory listing includes your phone number.

 

 

 

 

 

  1. ITS will lock your account and administrativly change the password, Microsoft will stop the account from sending email
  2. If outbound spam contains a link, ITS will request the link be blocked at the SF State firewall and via online safe-browsing tools
  3. A request for computer virus/malware scanning will be made on your behalf to your local IT staff (for users without local IT staff, the request will be sent to the ITS Help Desk)
  4. IT staff will work with you to scan and, if necessary, clean your computer(s) and devices. (Note: this may require clean-up actions be performed on personally owned devices.)
  5. IT staff will help you perform a root cause analysis to determine how the account was compromised
  6. IT staff will verify that clean-up has been performed on all devices used to access the account
  7. ITS will unlock the account - you may now change your password and re-access SF State services
  8. ITS will request that Microsoft remove the block from your account, allowing email to be sent to non-SF State addresses
  9. IT staff will help you complete and submit an Incident Report

 

Procedure for Secondary, Departmental, Student, and Emeritus Accounts

SF State's IT staff is highly aware there are times of year when having an account locked can cause excessive hardship (e.g., registration, grading, finals, drop/add days). If circumstances force the locking of an account during these critical times, additional outreach will be attempted and we will do our utmost to resolve account issues quickly. To make sure you receive all communication, please verify that your external email address is valid.

 

 

 

 

Please note: If it is determined that your account has access to secure resources or confidential data the compromised account procedure for a primary account may be used.

  1. ITS will lock your account and administrativly change the password
  2. If outbound spam contanes a link, ITS will request the link be blocked at the SF State firewall and via online safe-browsing tools
  3. A reqest for computer virus/malware scanning will be made on your behalf to your local IT staff (for users without local IT staff, the request will be sent to the ITS Help Desk)
  4. IT staff will work with you to scan and, if necessary, clean your computer(s) and devices (Note: this may require clean-up actions be performed on personally owned devices)
  5. IT staff will verify that clean-up has been performed on all devices used to access the account
  6. ITS will unlock the account - you may now change your password and re-access SF State services

 

Public Credential Posting

Most compromised accounts are reported via tools such as Microsoft's Anti-Spam utility. For reports originating from the public posting of credentials or from a source that cannot be verified, the following procedure will be used:

  1. ITS will notify you that you need to immediatly change your password. If you cannot be reached and/or the password is not updated within 4 hours, the password will be administrativly changed to protect your personal information
  2. You can change your password and re-access SF State services

 

Spoofed Accounts

Spoofing is annoying but is not actually the result of compromised credentials. When a scammer creates a spam message, they can set a 'reply-to' address other than their own. They use an email address that will help make the message appear legitimate. Unfortunately, this often causes the address they have used to receive a large number of undeliverable notifications. Because there are no compromised credentials and the messages do not originate from SF State's servers, there is no way to stop these messages. If your account has been used in a spoof and you have more than 2000 undeliverable notifications, please open a service request for information on using mail rules to delete the messages.