Recent flurry of compromised accounts

The following message is from the Campus IT Connect group.

This weekend, Google sent us information on several hundred accounts ( that they found with credentials in a pastebin.  After a first pass, these all appear to be uMail accounts that were recently provisioned onto Google, so the credentials probably resulted from an old phishing campaign.  Further, preliminary checks show that only a few of them have been used in phishing/spamming campaigns before.

We are working on the tooling to automate checking the history on each of these accounts.  In the case of an account implicated in spamming/phishing within the last two years, we are going to assume that the remediation of that incident addressed the issue.  If not, we will take action as we normally handle compromised accounts.  We will set a random password and block the reuse of the compromised password.  Until the user goes through a password reset process, they will be locked out of most campus systems.

Given the volume, we also could use some help.  If you encounter someone who seems to have been locked out, the first step is for the individual to visit

to reset their password by answering “secret questions”.