Members of the University of Richmond’s Information Services department discovered around 3,000 UR email addresses published to a hidden database, according to an email sent to affected students and faculty on Jan. 26.
The email addresses were not obtained from UR systems, Shana Bumpas, director of information security at UR, said. Instead, the people who published the addresses acquired them through various past security breaches at companies such as Yahoo or LinkedIn.
“If you signed up at Yahoo or LinkedIn and used your Richmond email address there, that's how it linked back to University of Richmond," Bumpas said.
The database is located on the dark web and contains 1.4 billion account passwords. It is a compilation of several breaches that have occurred over the past year, Bumpas said.
After an article about the database was published on a Richmond news website, though, it remained unclear whether UR itself had experienced a data breach.
The article, titled “1.4 billion stolen credentials uncovered by University of Richmond,” was written by Scott Malone of the Capital News Service, a program of VCU’s Robertson School of Media and Culture.
“The title is very misleading,” senior George Katsiotis, who had heard about Malone’s article from a friend, said.
Katsiotis was initially angry after reading the title because he had thought that UR had had a security breach, he said. After reading more of the article, Katsiotis said he had had a better grasp on the reality of the situation but still had been unclear as to why he didn't receive an email from UR explaining what had happened.
According to Malone’s article, more details regarding the incident were sent via email to students and staff on Friday. But those emails were sent only to the UR accounts that had been affected, Bumpas said.
“It was just a courtesy, a public service, to those people who were impacted to let them know to go check their accounts,” Bumpas said.
Katsiotis still had concerns about how the situation had been communicated, he said.
“What is more problematic is that a VCU student knew about it, and I didn’t know about it,” Katsiotis said. “That’s bad.”
Cynthia Price, director of media and public relations at UR, said Malone’s article had not accurately portrayed the reality of the situation.
“We’re talking 3,000 of our addresses on a database that had 1.4 billion,” Price said. “We alerted those who needed to know.”
Price and Bumpas both acknowledged that other universities also could have been affected.
“I think other universities, companies, are also looking into it,” Price said. “There is a lot of potential impact.”
Neither Price nor Bumpas knew who first created the list of email addresses, but that is because of the sheer depth of the dark web, Price said.
As for maintaining web security in the future, Bumpas said that routinely checking accounts and passwords would ensure general privacy.
“You should make sure you’re using strong passwords,” Bumpas said. “Don’t share your passwords, and have different passwords for different types of systems.”
Contact news editor Jocelyn Grzeszczak at firstname.lastname@example.org.