Cyber Incident Victim: Boston University

In late September 2019, Boston University experienced a surge of spam emails originating from compromised student accounts, overwhelming university servers. The incident prompted BU administrators to temporarily disable access for more than 1,000 affected student accounts as a containment measure. University officials mandated password resets for these accounts to regain access, directly linking the account compromises to credential theft from a 2018 breach at Chegg, an educational services platform. The spam campaign represented a secondary exploitation of credentials initially exposed in the Chegg incident, though BU did not specify the exact timeframe between the credential exposure and their misuse in September 2019. No technical details were disclosed regarding the volume of spam sent, specific attacker methodologies beyond credential reuse, or whether internal systems beyond email were accessed.

The incident caused operational disruption through both the spam flood and the temporary account lockouts impacting over 1,000 students. BU's public response focused on credential reset requirements without detailing additional forensic findings, security enhancements implemented post-incident, or whether financial or personal data beyond email access was compromised. The university attributed responsibility indirectly by citing the Chegg breach as the source of compromised credentials, though no threat actor group was identified in connection with the spam campaign. This attribution aligned with established patterns of credential stuffing attacks following third-party breaches, where stolen credentials are tested across unrelated services. The temporary account suspensions and forced password resets constituted the primary documented containment and remediation actions taken by Boston University.