Computing questions? Connect with the Arts Computing Office Help Desk on our live chat! Available Monday to Friday, 9:30AM - 4:30PM, with some exceptions.
What is happening? An email notification will be sent to approximately 8,200 members of the University of Waterloo community whose WatIAM password appears on one or more lists of compromised passwords that are publicly available.
What is impact? As a precautionary measure, these individuals will be advised to log in to WatIAM to change their password. There will be no strict requirement or timeframe to do so.
When will the email notifications be sent? The morning of Wednesday, May 19.
- • There is no evidence that these accounts have been compromised
- • IST does not know the actual passwords for these accounts, only the “hash values” from Active Directory
- • The text of the email is below; the Subject will be “Action required: Change your University of Waterloo WatIAM password”
Background information regarding this request
In 2019, IST’s Information Security Services (ISS) team undertook an initiative to audit NEXUS passwords against a list of over 600 million breached passwords. This can be done without knowing the passwords in question, only the “hash values” of the passwords. A hash value is a one-way mathematical transformation of the password. The breached password list is also in “hash” form.
After comparing the hashes, IST-ISS found approximately 17,000 University of Waterloo accounts that were using a compromised password. With information about the risk associated with each password hash, IST-ISS has been able to address the higher risk accounts incrementally in small groups.
This list is now down to a total of just over 8,200 accounts (active in the last 30 months). IST-ISS hopes to address the remaining accounts via this email campaign.
Message recipients will receive from IST-ISS
As you read this or any email notice, verify the links are legitimate before following them. On your computer, hover your mouse over the link. On your smartphone, hold your thumb on the link.
This is an automated message. Do not reply.
You are receiving this message because the password for your WatIAM/NEXUS account USERNAME appears on one or more list(s) of compromised passwords that are publicly available. While there is no evidence that your account is compromised, we recommend that you change your password as soon as possible. This request to change your password is a precautionary measure.
We acknowledge the risks from this issue are reduced because of two-factor authentication (2FA), however not all services are protected by Duo 2FA.
Please follow the guidance below to change your password
- 1. Take the time to think of a good passphrase. Visit our password best practices page for help.
- 2. Avoid reusing the same password at different sites. A compromise at another site could have an impact on your University of Waterloo account if you reuse the password.
- 3. Log in to WatIAM at https://uwaterloo.ca/watiam/ to change your password. If the password you are replacing is used elsewhere, then you should visit those sites/apps to change each password to a unique value.
- 4. When you change your password, don’t forget to reset it on, for example, the email client on your mobile device(s).
If you require assistance, then please contact one of the following, as appropriate:
- 1. Faculty, students, and academic staff: Your faculty or school service desk
- 2. Anyone, including alumni: The IST service desk
Background and technical details surrounding this change request
The site Have I Been Pwned hosts a database of over 600 million known compromised passwords. The “hash” (a one-way mathematical transformation) representation, or value, of each compromised password is available for download. We compared the hash value of your Active Directory password (we don’t know your password) with the hash values in the downloaded database and there was a match. We do not know if the matching password is associated with your username or email address as that information is not made available. As a precautionary measure, because the number of attacks using this information has been increasing (e.g., the Canada Revenue Agency was a victim), we are recommending that you change your password as soon as you can.
Do not hesitate to reach out with any questions or concerns.
Director, Information Security Services
Information Systems & Technology