Many of you may have heard on the news that more than 772 million email records and 21 million passwords were found in an online database on January 17, 2019. Included in this database were old logins from previous breaches, some as far back as 2008 from sites such as Adobe, Ticketfly, Dropbox, LinkedIn, etc.

As of March 10, 2019 an additional 2 billion unencrypted records were leaked by Verifications IO, a commercial email verification database that includes verified emails, phone numbers, addresses, dates of birth, Facebook, LinkedIn and Instagram account details, credit scoring and even mortgage data such as amount owing and interest rates being charged. There were no social security numbers, no credit card numbers, no passwords. The database has been taken offline.

We are notifying the Georgetown community because your information, which could include your Georgetown email or password, may have been included in this database. Please be aware that your Georgetown account has not been compromised, and this is not the result of a Georgetown breach. Georgetown University Information Security Office regularly receives alerts on account security issues from Google and, an alerting site, Have I Been Pwned, along with other valid cybersecurity researchers.

If you used your Georgetown email address in a previously breached site, your account and password may have been exposed.  While it is highly likely that the account information is out of date, out of an abundance of caution, UISO would like to make you aware of this situation.

What you should do:

●      Refrain from using your Georgetown email password for other sites and services. If you have ever used your current NetID password as the password for any other website or online service, change your NetID password immediately. You can change your NetID password here.

●      Enable Duo 2-Factor Authentication for your Georgetown user account. Duo provides an added layer of security in your login process and, should a data breach happen in the future, will protect you immediately. Learn about Duo here.

●      Do not reuse passwords on multiple online sites and services. Consider using a legitimate password manager (e.g LastPass, 1Password, etc) to generate separate, unique, complex passwords for each account, site or service.

●      Know how to spot a phishing attempt. You should be mindful of the fact that, like many millions of Americans, your information has been exposed in past data breaches. If that stolen password no longer works for any of your accounts, thieves may target your email address with phishing attacks seeking to trick you into revealing your actual password. Learn about phishing threats here and here.

For any questions, please feel free to contact security@georgetown.edu

Find more information on this event here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

Updated March 2019: https://www.forbes.com/sites/daveywinder/2019/03/10/2-billion-unencrypted-records-leaked-in-marketing-data-breach-what-happened-and-what-to-do-next/#41c759196b0d