Resources > Case Study
395,000 Compromised Credentials and Counting: How Texas A&M Leverages Flashpoint To Mitigate Risk
About Texas A&M
Created by the Texas Legislature in 1948, the Texas A&M University System (TAMUS) is one of the largest higher education networks in the nation: 11 statewide universities, a comprehensive health science center, eight state agencies, and the RELLIS Campus, a research and testing engineering facility.
The Texas A&M University System educates more than 153,000 students and each year makes more than 22 million additional educational contacts through service and outreach programs each year.
- Internal networks
- Ransomware and extortion
One portal, lots of access
Unlike corporate accounts, university emails are often used for personal matters. But colleges don’t always age off email addresses, giving them an extended chance of becoming compromised.
“We’re a heavy user of SSO,” said McLarty. “And because of the pervasiveness of password reuse, one set of stolen credentials could open numerous risk apertures.”
Stolen education credentials could be used by threat actors to access third-party apps used within the TAMUS ecosystem.
The same stolen credentials can also grant a threat actor access to marketplaces that offer student, faculty, Veteran or alumni discounts as well as portals outside the university system, including banks and other accounts that may not have added security layers, such as two-factor authentication (2FA), set up. A threat actor could potentially access the TAMUS system with a set of credentials that was stolen elsewhere.
“Flashpoint has become an integral part of our security infrastructure and threat response workflows, impacting what we do day-in, day-out.”Cody Autrey, Texas A&M University System SecOps Team
“Remember Me” policy changes
From a strategic level, the SecOps team changed its policy on multi-factor authentication (MFA); it now forces users to re-authenticate MFA every five days, down from legacy standards that in some cases exceeded 60-days.
Operational and tactical impact
The SecOps team has changed its specific intel requirements (SIRs) because they now know not only how they’ve been compromised but also where it has occurred: an end-user device, from within the network, or from compromised third-parties.
The SecOps team can leverage Flashpoint’s Technical Intelligence feeds to monitor for specific types of malware or info stealers, thereby focusing their efforts to identify threats they know to be a risk.
“Our previous compromised credential discovery methods were not quick enough to efficiently prevent account takeover,” said McLarty.
“Flashpoint has allowed us to become more efficient in our investigations and provided us the ability to dedicate more time and focus to complex security challenges.”Nick McLarty, Deputy CISO, Texas A&M University System SecOps