As the Chief Information Security Officer (CISO) at Chapman University, my July blog post is a fictional story about the dangers of password reuse. This narrative highlights the experience of James Cartwell, a fictitious university president, whose accounts were compromised due to a reused password, impacting his personal and professional life. This story serves as a vital reminder to Chapman’s community to adopt strong security practices and protect our digital environment.

Let’s see what happens to James:

James Cartwell was the kind of academic leader who thrived on precision. As the President of a prestigious university, his days were meticulously scheduled, his presentations faultless, and his inboxes managed down to the last unread email. Yet, for all his sharpness in the boardroom, there was one habit James had carried over from simpler times: he reused passwords.

Years earlier, when James was juggling his graduate studies and part-time teaching gigs, he had created a password that was easy to remember: “LADodger$2000.” It was, he thought, secure enough; after all, it had numbers, uppercase letters, a symbol, and even a nod to his favorite baseball team. Over the years, that same password accompanied him through dozens of accounts: his personal email, his academic profiles, his subscription services, and even though he’d never admit it, his university email.

What James didn’t know was that his personal email account had been part of a data breach three years ago. The breach had exposed millions of credentials, including his trusted “LADodger$2000.” He had received the notification at the time but brushed it off. “Who would target me?” he thought. He was careful but not paranoid.

The storm arrived on an otherwise ordinary Wednesday. James was in the middle of preparing for a presentation to the university’s Board of Trustees when his assistant rushed into his office, looking pale. “James, your Twitter account…” she began, holding up her phone. The screen displayed his official account, now littered with bizarre and offensive posts. Thousands of followers, many students and faculty, were already commenting, bewildered. James’s stomach dropped.

As he scrambled to assess the damage, his phone buzzed with another notification: his university email password had been changed. Panic set in as he realized he no longer had access to his own inbox. Within minutes, IS&T confirmed his fears—someone had hijacked his email and attempted to send out sensitive university documents to unauthorized recipients. The breach threatened to derail the board meeting, damage the institution’s reputation, and potentially open them up to legal liabilities.

The aftermath was grueling. InfoSec’s forensic teams traced the hack back to a point of origin—James’s personal email account. It had been the domino that set everything else in motion. The attackers had found his credentials in a publicly available breach database on the dark web. Recognizing that many people reuse passwords, they had tried “LADodger$2000” on other platforms. The moment it unlocked his Twitter and university email, they exploited both with ruthless efficiency. The forensic teams also determined that 2FA was in place for his university email account, but Jim had been using SMS text for his 2FA requests, and the bad actors were able to bypass his 2FA using SIM swapping, which is where attackers convince cellular carriers to transfer control of a victim’s phone number to a SIM card they control, allowing them to receive SMS messages intended for the victim. This was easily done since James had used “LADodger$2000” as the password for his cellular account.

James spent weeks trying to repair the damage. The university had to issue statements to the media, students, faculty, staff, parents, and alumni. For James, it was a humbling lesson. He began using a password manager, enabling multi-factor authentication through an authenticator app, and made sure no two accounts shared the same password ever again. Just as importantly, he began to pay attention to the awareness training provided by IS&T’s InfoSec team. Maybe he’d even increase InfoSec’s budget.

However, the impacts were lasting. Periodically, he would find himself awake at night, contemplating the incident. The repercussions of that single reused password extended beyond professional boundaries; it had deeply damaged both his professional and personal image.

This story serves as a powerful reminder of the importance of robust cybersecurity practices. As members of the Chapman University community, we must take proactive steps to protect our digital identities. I urge everyone to use unique passwords for each account, enable multi-factor authentication, and stay vigilant against potential threats. By adopting these measures, we can collectively safeguard our university’s digital environment and ensure the security of our personal and professional information. Let’s commit to making cybersecurity a priority and take action today to prevent similar incidents from occurring in the future.

Remember, if you suspect something, report it to abuse@chapman.edu.

 

Stay safe, stay vigilant! 

Keith Barros  

Chief Information Security Officer (CISO)  

Chapman University