April Fool’s Day marked the end of a hacker’s not-so-funny joke on Yale e-mail users.
At approximately 10:30 p.m. Tuesday, approximately 2,100 Yale faculty, students and staff received notice from Information Technology Services that the Pantheon complex — a time-sharing system that allows access to Pine and other services — had been compromised by a hacker on March 19 and that their passwords could be insecure. All recipients were advised to change their passwords immediately. Fortunately for most of the recipients, ITS has since pared down the number of passwords collected by the hacker to approximately 38 people.
“The 38 people we’re working on contacting by phone, by e-mail, by smoke signal, by any method we can find,” said Chuck Powell, director of Academic Media and Technology.
Powell said anyone who logged on to Pantheon between March 19 and late in the day on April 1 was potentially at risk. He said most of the recipients of the advisory e-mail had used Pine to access e-mail accounts. But Powell said e-mailing all of those people was a precautionary measure, and that most of them were likely unaffected by the hacker’s activities.
People who use programs like Eudora, Netscape or Outlook to check e-mail were not affected.
Powell said there is currently very little risk that the hacker would be able to cause further damage.
Mark Lee ’04 said he initially deleted the e-mail after checking with his suitemates, who were not among the recipients.
“Initially, I didn’t do anything about it,” Lee said. “[My roommate] said it was probably an April Fool’s Day joke.”
Lee said he was concerned that the hacker might have access to personal information. He said he planned to change his password.
Powell said the perpetrator was trying to get access to elevated privileges so he could get access to more machines on the Pantheon network.
“As best we can tell, the hacker’s agenda was not to look into your private life, but to get access to more machines,” Powell said.
According to the ITS message sent Tuesday, a staff member logged onto a computer March 19 that had been compromised by the hacker, who subsequently captured the person’s password and used it to attack the Pantheon.
If the hacker had gained control of a substantial number of computers, he could have made changes to the Pantheon interface or used the computers to initiate a “denial of service” attack on other Web sites, Powell said. He said it is possible the hacker could have anticipated some economic gain — for instance, accessing credit card information — but that ITS does not store such information on the Pantheon.
Powell said his main concern is making sure that users feel secure using the Yale network. He said all users should be advised of the safety involved in password selection.
“As a matter of hygiene, we recommend users change their password every three to six months,” Powell said.
ITS is currently investigating the incident, Powell said.