Administration
This page
Other pages
Account
Combo List Notice
MIT IS&T Security received an alert that a large number of MIT addresses were circulating online in two recent "combo lists", collections of email addresses and passwords harvested from various breaches and then combined into master lists. We don't see signs of breaches in MIT systems; security researches studying the combo lists believe they are a jumble of old passwords that were stolen from many online systems over many years.
We thought it would be wise to warn people that some of their old information is circulating online, and we are sending the following email notification in batches to people whose addresses appeared in the two recent combo lists.
For more information about the combo lists, see:
Hello,
This is MIT's IS&T Security team, letting you know that that one of your online accounts was probably compromised in a data breach.
Your email address <$ADDRESS>, plus a password, was found in a huge list of email address and password pairs that has been circulating online since late 2016.
We do not have the list, and we do not know what password was linked with your address on the list. It looks like the list combines passwords that were stolen from many online systems over many years. Security researchers who have studied the list are confident that some of the addresses and passwords are legitimate, but we don't know if all of the addresses and passwords are legitimate, and we don't know which site your password was stolen from, or when.
If you can remember any websites where your login or email address was <$ADDRESS>, you should consider that the password you used for that website may be exposed, available to hackers.
We understand it is frustrating that we can't say specifically which site's password is being shared online. Even though we don't know which password was leaked, we thought it was better to let you know about the situation, so you knew that hackers might start targeting your account(s). Now that you know that hackers have an old password that you used to use, you can be sure to pick new passwords in the future. In fact, it is a good idea to use different passwords for different sites, and use a password manager to help keep track of your passwords.
IS&T offers the password manager "LastPass" to the MIT community free of charge:
If you would like to read more technical details about the exposed password lists that caused us send this email, see:
Regards,
Security Operations
–
Massachusetts Institute of Technology
Information Systems & Technology (IS&T)
Security Operations
security@mit.edu http://ist.mit.edu/secure
As a reminder: IS&T will NEVER, for any reason, request your username or password via email. If you question the validity of an email supposedly from IS&T, please double check with the IS&T Help Desk (http://ist.mit.edu/help) before responding.
