NEWS: “Collection #1” Data Breach

On January 17th, 2019, the media began reporting on a large collection of breached data, known as “Collection #1”.  This collection contains millions of email addresses and passwords and was posted publicly on the Internet.

The data was discovered by a security researcher named Troy Hunt.  He posted a description of the data on his blog at The 773 Million Record “Collection #1” Data Breach.  It is important to note that the breached data is not recent and that the information is limited to email addresses and passwords (i.e., no credit card information, health records or social security numbers).

We do not believe this data contains any legitimate login or password information for accessing Vassar business systems.  However, your Vassar email address may appear in the data collection when you used this email address to sign up for a third-party service.

What should I do?

  1. Use strong passwords – use more characters in your password to make them harder to guess
  2. Use different passwords – make sure you use different passwords for different sites.  Never use your Vassar password for any service outside of Vassar College. That way, if a third-party site is breached, that password can’t be used to access Vassar data.  A password manager can help you with good password habits. Vassar offers LastPass Premium for free to all active community members. Find out more at https://servicedesk.vassar.edu/catalog_items/751530-password-management/service_requests/new
  3. Check your email addresses for breaches –  the website https://haveibeenpwned.com/ will tell you if your information is included in the “Collection #1” breach or any others.  Vassar requires password changes once every year.  This means the risk of your new password being known is low.  However, you should change older passwords on other websites if your email address does appear in the breach information.
  4. Check your password –  you can also see if your current or new passwords have appeared in any data breaches at https://haveibeenpwned.com/Passwords 
  5. Enable Multi-Factor Authentication – Vassar offers Duo to protect many services, including Google Apps, Moodle, Workday, and Banner.  Learn more at https://servicedesk.vassar.edu/solutions/571021-vassarone-setting-up-multi-factor-authentication-with-duo  For your personal accounts, enable it wherever it is offered, especially for banking websites.

If you have questions or concerns about this incident or any other Information Security topic, please send an email to infosecurity@vassar.edu.  Always report suspicious emails to catchoftheday@vassar.edu.