University of Michigan requires password resets after cyberattack – Source: www.bleepingcomputer.com

On Tuesday, the University of Michigan (UMICH) warned staff and students that they must reset their account passwords after a recent cyberattack.

Emails sent by the university’s CISO and CIO to community members seen by BleepingComputer ask for password changes by September 12.

Failure to abide by this mandatory change will lead to the users being unable to sign into their accounts until they go through the much more intricate forgotten password recovery procedure.

“The University of Michigan is requiring all community members to change their UMICH password by the end of day on Tuesday, September 12,” UMICH CISO Sol Bermann and CIO Ravi Pendse said in emails to university staff and students.

“Everyone on the Ann Arbor, Flint, Dearborn, and Michigan Medicine campuses must change their passwords by Tuesday, September 12,” the university’s ITS Service Center (ITS) also warns.

“If you do not change your password, you will not be able to use your UMICH password, including services that use the U-M Weblogin and U-M managed devices. Alumni, retirees and other groups can change their passwords now. Additional information for these groups will be coming soon.”

Community members are also advised to consult guidelines on changing to a secure password that follows the university’s password complexity requirements.

Those who will experience any issues with the dedicated self-service password tool can find further resources and contact information for UMICH’s ITS Service Center by visiting the “Change Your UMICH Password” page.

On Tuesday, those trying to change their passwords were also warned that they might experience slower performance when signing into their accounts or using the account management app (the issue has since been addressed).

​This week’s warning comes after the University of Michigan disclosed on August 28 that it took all its systems and services offline Sunday afternoon in the aftermath of a cybersecurity incident.

“We took this action to provide our information technology teams the space required to address the issue in the safest possible manner,” the university said.

Systems and services directly affected by the decision to sever connections to the internet across the university’s campus included wired and WiFi campus internet connectivity, M-Pathways, eResearch, DART, and all systems used in the student registration process.

Two days later, CIO Ravi Pendse and President Santa J. Ono said internet connectivity and WiFi were restored across all UMICH campuses.

“We do not have any other information we can share on the investigation. We do not want to share anything that might compromise that important work,” UMICH’s Director of Public Affairs Director of Public Affairs told BleepingComputer today after we reached out for more details regarding what prompted the mandatory password resets.

One month ago, Michigan State University (MSU) also disclosed that some of its third-party service providers had been impacted by the MOVEit data theft attacks, which will likely lead to the exposure of MSU community members’ data, including students and retirees.