[BreachExchange] Email Hack at Brown Reportedly Involved Nearly Half-Million Addresses

[Terrell Byrd]

https://www.golocalprov.com/news/email-hack-at-brown-reportedly-involved-nearly-half-million-addresses

An email hack involving nearly 500,000 email addresses in a Brown
University database took place over the weekend.
This marks the latest incident at the Ivy League institution, which came
under cyberattack in the spring of 2021.

On Saturday night, John Spadaro, the Interim Chief Digital and Information
Officer in Brown’s Office of Information Technology, sent the following
email to the community.

“We are writing to individuals who may have received messages today, March
12, 2022, from a Brown ‘special events’ email address with images and
comments reflecting political sentiments related to Russia’s invasion of
Ukraine. We regret any concern that these messages may have caused," he
wrote.


Latest Hack

GoLocal was able to obtain a screengrab of the email that was sent on
Saturday from “Special_Events at brown.edu” with the subject line “A new day.”

The body of the email states “You deets has been obtain by viper crewz” —
followed by a URL (which has been redacted here).

According to members of the Brown community, the CSV file that the
perpetrators linked to included nearly 500,000 emails.

Sources say the original email contained two memes; one was a picture of
dog waste disposal labeled “Poo-Tin” reportedly containing an image of
Vladimir Putin; the other was a political cartoon of Putin sitting on a
tank holding the cannon — but the cannon was flaccid.

Brown’s Response

In his email to the Brown community on Saturday, Spadaro continued with the
following.

"These messages were the unfortunate result of unauthorized access to a
bulk email service used by the University that enabled the names and email
addresses of recipients to be extracted from the service. The University
has changed the password for the compromised account and was able to
prevent distribution of the unauthorized message to most email addresses in
the account. The University already was in the process of retiring use of
the bulk email service and does not expect further use of the service.

In addition, a thorough investigation has confirmed that there was no
software, virus or payload linked to the unauthorized messages that would
have any effect on the machines, software, stored content or technology of
those who received or open the unauthorized messages. Also, no confidential
information other than the names associated with the recipient email
addresses was accessed, and no other Brown assets have been accessed.

We encourage you simply to delete the original message(s) and any others
you might receive with similar or questionable content. It’s relevant to
note that the unauthorized sender of today’s emails created a link that
would allow others to access the list of email addresses used to send
today’s unauthorized emails. You may receive other spam messages from
accounts pretending to be Brown senders, or from other email addresses.

Filters for junk mail and spam that commonly prevent distribution of
messages such as these on most email platforms should help minimize the
impact to individuals. We have taken all immediate steps possible and
continue to be in touch with the external email service provider to seek to
prevent further unauthorized emails or spam to the extent we can control.

We regret any inconvenience and frustration caused by this situation.”

Brown University spokesperson Brian Clark said that the university is
continuing to investigate the incident.

“It is unknown how many of the email addresses accessed are active," Clark
told GoLocal. "The spam messages using the improperly accessed email lists
were sent to a subset of recipients that was much smaller, by orders of
magnitude. And then Brown was able to block a majority of those.”

“Unfortunately, in incidents such as these, no one can predict whether
further attempts will be made to send spam emails. However, the nature of
the emails likely could be identified as spam by any recipient, and would
be filtered out by junk mail filters, marked as spam or deleted,” said
Clark. “OIT continues to reach out to the vendor to investigate how the
account was compromised, and to consider what additional steps may be
taken.”



Prior Incident

In March 2021, GoLocal reported that Brown came under cyberattack in an
incident the university at the time called its “utmost priority.”

On Tuesday afternoon, Thirsk, Brown’s Chief Digital Officer and Chief
Information Officer, made the community aware of the threat — and as of
Wednesday, the university was still addressing the incident.

“I’m writing to share that [this morning] Brown’s IT security team became
aware of a cybersecurity threat to the University’s Microsoft Windows-based
technology infrastructure. Staff in Computing & Information Services took
immediate steps to mitigate the threat, launched an investigation and began
to develop a full response plan,” said Thirsk Tuesday afternoon.

“Given the nature of the threat, CIS has taken a number of aggressive steps
to protect the University’s digital resources, including shutting down
connections to our central data center and systems within it,” he added.
“While many of our cloud-based systems — including Canvas, Zoom and Workday
— remain up and running, other systems are temporarily disabled. Among the
most commonly accessed resources that are temporarily unavailable are
Banner, VPN, RemoteApps and some websites hosted on Brown.edu. We are
working with colleagues across the University and are committed to getting
systems back online as quickly as possible.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220314/bf0c38eb/attachment.html>