Students at the University of Michigan are being told to change their account passwords after a disruptive security incident detected in August.
Last month, U-M was forced to sever online services to its campus community on the eve of a new academic year due to what appeared to be a targeted cyberattack.
The school didn’t want to make a big deal out of it, but all signs indicate the attack was aimed directly at the university. This prompted U-M to not only cut internet connections to its campus, but also to enlist the help of federal law enforcement and launch an investigation into the matter.
Following the announcement, U-M assured students and staff that they could still use their credentials to access faculty apps and online platforms via cellular connections.
More recently, however, the U-M’s management has had a change of heart. In an email to community members, everyone is now urged to reset their passwords by Sept. 12.
"The University of Michigan is requiring all community members to change their UMICH password by the end of day on Tuesday, September 12," UMICH CISO Sol Bermann and CIO Ravi Pendse wrote to university staff and students, according to Bleeping Computer.
“Everyone on the Ann Arbor, Flint, Dearborn, and Michigan Medicine campuses must change their passwords by Tuesday, September 12,” the university's ITS Service Center (ITS) says in another email. “If you do not change your password, you will not be able to use your UMICH password, including services that use the U-M Weblogin and U-M managed devices. Alumni, retirees and other groups can change their passwords now. Additional information for these groups will be coming soon.”
Following intermittent issues with the password reset process, the school said Tuesday that UMICH Account Management was functioning normally, at long last.
It isn’t clear if the school’s IT team still has systems to restore, but according to a statement obtained by Bleeping Computer from UMICH's Director of Public Affairs, the ongoing investigation is preventing the school from sharing “anything that might compromise that important work.”
As noted in our original coverage of the incident, U-M has yet to even hint at the possibility that student or faculty data may be at risk. Prompting students and staff to change their passwords may suggest that U-M accounts were accessed by an unauthorized party.