Ashley Madison Hack Includes State Agency

Although not mentioned in the email quoted below, clearly some state employees got caught in the hack of the Ashley Madison website. The odd thing is that the email sent out statewide is entitled “Phishing Scams.” The Ashley Madison hack was just that, a hack. It had nothing to do with phishing scams. I don’t know which is more troublesome, state employees using a website like Ashley—which by the way is blocked for 99% of network users—or that the head security guy is wrongly calling this a phishing scam.

Anyway, here is the email. Please note that links to state intranet sites were removed for this copy. Also, I added emphasis to portion on “data dump”.

Attention CDCR Email Account User,

The CDCR Information Security Office was recently made aware that several CDCR email accounts were published to a public Internet site in a data dump that was hacked by a third-party organization.  The compromised email accounts were used as logons by the users for non-CDCR related activities.  Although corresponding passwords or other personal information were not believe to have been exposed, we ask all users to:

• Do not use the same password for your CDCR account for any non-CDCR purposes such as personal email – this will reduce the risk of having your CDCR account compromised (best practice)
• Do not use the CDCR work email address for personal use such as use your email account to sign up for non-CDCR business related purposes.

Because of this data dump is available to the public, please also take the time to review regarding how to prevent against phishing attacks.

Additionally please:
• Do not enter sensitive or confidential information into any internet website unless it can be verified that the site is authentic,
• Do not reply to emails requesting any sensitive or confidential that originate from an unknown source, and
• Do not provide any sensitive or confidential information over the telephone during conversations that were not initiate by yourself.

If you have any further questions or concerns regarding this email please contact the CDCR Agency Information Security Office.