Cyber Incident Victim: University at Buffalo
Date:
May 2018
Location:
United States of America
Summary
A data breach at the University at Buffalo compromised 2,690 UBITName accounts, impacting 1,800 students, 862 alumni, and 28 faculty and staff members. The stolen login credentials originated from individuals entering their university credentials on a non-university website, likely due to reused passwords across external services. The institution clarified that the compromise did not stem from a direct phishing attack against its systems but potentially from a legitimate third-party service breach. An investigation was initiated to identify the specific external source of the credential exposure, with plans to contact affected users for further correlation. The university reiterated ongoing education efforts advising against credential reuse for non-university services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 18, 2018, the University at Buffalo (UB) publicly confirmed a data breach involving unauthorized access to 2,690 UBITName accounts following an investigation led by J. Brice Bible, the university’s vice president and chief information officer. The compromised credentials affected 1,800 student accounts, 862 alumni accounts, and 28 faculty and staff accounts. UB spokesperson John Della Contrada stated the breach occurred when individuals entered their university login credentials on a non-UB website, leading to the theft of their authentication details. The university’s initial investigation ruled out direct compromise of UB systems, attributing the incident to credential reuse on external platforms. Affected individuals were notified, though UB did not initially disclose the identity of the third-party service involved.
In follow-up communications, UB clarified that the specific external service responsible for the credential exposure remained unidentified, noting it could have been any of numerous non-university sites where users registered accounts. The breach stemmed from individuals reusing their UB credentials (username, email, and password) on these external platforms, despite ongoing university education campaigns advising against such practices. UB found no evidence linking the incident to a phishing scheme and acknowledged the third-party service might have been legitimate rather than malicious. The university committed to contacting impacted users to gather additional details about the compromised external services, aiming to refine its understanding of the attack vector. No further technical specifics about the breach mechanism, attacker identity, or direct operational consequences within UB systems were disclosed in the available reporting.