Cyber Incident Victim: The University of Michigan

On August 12, 2015, at approximately 3:30 AM, unauthorized actors compromised three prominent University of Michigan Facebook pages—Michigan Football, Michigan Basketball, and Michigan Athletics—by posting malicious content. The University’s Department of Information Technology Services (ITS) first detected the breach through alerts from the user community, who reported inappropriate posts across these and other university-affiliated social media accounts. By 5:00 AM, ITS had escalated notifications to the University Director of Social Media, the Office of Public Affairs and Internal Communications, and the Department of Public Safety and Security. Michigan Athletics’ external communications staff also received multiple notifications via voicemail, text messages, and social media mentions. Initial investigations ruled out insider involvement and confirmed the loss of administrative access to the compromised pages. University personnel attempted to regain control by flagging content and contacting Facebook, but time zone differences delayed direct assistance from most Facebook contacts. The London-based Facebook team eventually intervened through a connection facilitated by a former agency peer linked to Michigan’s auto industry social teams. Concurrently, the university’s social media leadership team—comprising representatives from all three campuses—initiated password resets for all official accounts and audited third-party applications with publishing permissions. Michigan Athletics’ associate athletic director established a group text to update university leadership in real time.

At 7:42 AM, the University issued its first public acknowledgment of the breach via central social media channels, emphasizing transparency and ongoing resolution efforts. Facebook unpublished the three affected pages at 8:38 AM, restored administrative credentials within 15 minutes, and reinstated the pages by 10:00 AM. A second wave of attacks occurred shortly after noon when attackers exploited delegated privilege changes during administrator re-credentialing, revealing the breach originated from a specific employee’s compromised personal account. Facebook’s investigation attributed the incident to a sophisticated phishing campaign via Facebook Messenger, where fraudulent messages impersonating Facebook Support directed the employee to a credential-harvesting site. The attackers used two scripted messages falsely citing security mismatches and urging credential revalidation via malicious links. Post-incident, Facebook advised enhanced security protocols, including disabling Messenger for official communications, verifying login URLs, scrutinizing shortened links, minimizing admin roles, and enabling login approvals for admin accounts. The university implemented two-factor authentication, evaluated third-party security tools, and explored Facebook Business Manager. Internal debriefs and application audits occurred by end-of-day August 12, followed by operational restoration and individualized responses to all user messages. Impact analysis revealed negligible follower fluctuations—minor increases on main brand pages and slight decreases on sport-specific pages—with the incident ranking fifth in topical relevance among University of Michigan brand discussions over the subsequent week.